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ABSTRACT 


We typically do not associate the field of graph theory with the field of cryptography. In 
graph theory, the aim is to model relationships with a graph and examine properties of that 
graph. The goal of cryptography is to design a communication system over a nonsecure 
channel. One connection between the two fields can be found with Cayley graphs and 
Boolean functions (BF). Accordingly, we can represent a cryptographic Boolean function 
with a Cayley graph and examine its properties. In this thesis, we convert the substitution 
boxes within the Data Encryption Standard (DES) to Boolean functions and represent them 
with Cayley graphs. Erom the Cayley graph, we analyze the graph spectra and attempt 
to determine a relationship with the cryptographic properties of the corresponding Boolean 
functions. With the spectra, we also make some inferences about the structure of the Cayley 
graph. 


V 



THIS PAGE INTENTIONALLY LEET BLANK 


VI 



Table of Contents 


1 Introduction 1 

1.1 Motivation. 1 

1.2 Research Questions. 2 

1.3 Thesis Organization. 2 

2 Preliminaries on Algebra and Number Theory 5 

2.1 Number Theory. 5 

2.2 Abstract Algebra Concepts. 9 

3 Block Ciphers 21 

3.1 Introduction. 21 

3.2 Secure Communications. 21 

3.3 Block Ciphers. 24 

3.4 The Data Encryption Standard. 33 

4 Boolean Functions 51 

4.1 Boolean Algebra and Operations. 51 

4.2 Definitions and Representations. 53 

4.3 Cryptographic Properties of Boolean Functions. 58 

4.4 Bent Boolean Functions. 65 

4.5 Walsh Transform. 66 

4.6 Vectorial Boolean Functions. 72 

5 Basic Graph Theory 75 

5.1 Definitions. 75 

5.2 Matrix Representations. 77 

5.3 Spectral Graph Theory. 81 

5.4 Cayley Graphs. 91 

vii 























6 Data Encryption Standard (DES) Spectra 97 

6.1 Methods. 97 

6.2 DES S-Box Spectra. 99 

6.3 Relations. 132 

6.4 Expanders. 134 

6.5 Distance to Einear Eunctions. 136 

7 Extensions on DES Substitution Boxes 139 

7.1 Methods. 139 

7.2 Results on Propagation Criteria of Degree 2. 140 

7.3 Results on Strict Avalanche Criteria. 141 

8 Conclusion 143 

8.1 Summary of Results. 143 

8.2 Areas for Euture Work. 143 

Appendix: Thesis Code 145 

A.l Adjacency Matrix Coding. 145 

A.2 PC Check Coding. 149 

List of References 151 

Initial Distribution List 159 


viii 















List of Figures 

Figure 3.1 The Basic Communication Scenario for Cryptography. 22 

Figure 3.2 General Structure of a Block Cipher. . 25 

Figure 3.3 General Structure of a Feistel System. 25 

Figure 3.4 Substitution-Permutation Network. 26 

Figure 3.5 Cipher Block Chaining Mode. 29 

Figure 3.6 5-bit Cipher Feedback Mode on 64-bit Plaintext. 30 

Figure 3.7 5-bit Output Feedback Mode on 64-bit Plaintext. 31 

Figure 3.8 Counter Mode. 33 

Figure 3.9 The DBS Algorithm. 37 

Figure 3.10 The DBS Function /. 40 

Figure 4.1 Transeunt Triangle Representation. 57 

Figure 5.1 A Graph G on n = 5 Vertices. 76 

Figure 5.2 Multigraph and Pseudograph, Respectively. 76 

Figure 5.3 A Graph and Its Associated Symmetric Adjacency Matrix. 78 

Figure 5.4 A Pseudograph and Its Associated Adjacency Matrix. 79 

Figure 5.5 The Petersen Graph. 90 

Figure 5.6 Cayley Graph F f for the Function 1 ©xi ®X 2 . 95 

Figure 6.1 Cayley Graph Representation for /i of S-Box 1, Boops Not Present. 102 

Bigure 6.2 Cayley Graph Representation for /2 of S-Box 1. 108 

Bigure 6.3 Walsh-Hadamard Spectra of S-Box 4 BBs. 115 


IX 























Figure 6.4 Walsh-Hadamard Spectra of S-Box 5 BFs. 119 

Figure 6.5 Walsh-Hadamard Spectra of S-Box 6 BFs. 123 

Figure 6.6 Walsh-Hadamard Spectra of S-Box 7 BFs. 127 

Figure 6.7 Walsh-Hadamard Spectra of S-Box 8 BFs. 131 


X 







List of Tables 


Table 2.1 The Cayley Table for Z 5 . 11 

Table 2.2 The Addition and Multiplication Tables for F 2 . 15 

Table 3.1 Analyzing Block Algorithms. 27 

Table 3.2 DBS Initial Permutation. 38 

Table 3.3 DBS / Bxpansion Permutation. 39 

Table 3.4 DBS / Permutation. 39 

Table 3.5 DBS Birst Key Permutation. 41 

Table 3.6 DBS Key Beft Shift Operation. 41 

Table 3.7 DBS Second Key Permutation. 41 

Table 3.8 DBS Inverse Initial Permutation. 42 

Table 3.9 DBS Substitution Box 1. 43 

Table 3.10 DBS Substitution Box 1 in Binary Borm. 43 

Table 4.1 Boolean Sum and Product Tables. 52 

Table 4.2 Boolean Bunction Addition. 52 

Table 4.3 Truth Table of a BB.. 54 

Table 4.4 Representations of a BB. 55 

Table 4.5 Conversion from ANB to Truth Table Sequence. 56 

Table 4.6 A 3-Variable BB, Correlation Immune of Order k=\ . 60 

Table 4.7 A 3-Variable BB Satisfying the SAC. 63 

Table 4.8 Truth Table Representation for 1 ©a:i ©a :2 . 69 
























Table 6.1 First 10 Truth Table Entries for S-Box 1. 98 

Table 6.2 ANF and Degree of S-Box 1 BFs. 99 

Table 6.3 Walsh Spectra and Walsh-Hadamard Spectra of S-Box 1 BFs. . . . 100 

Table 6.4 Cayley Graph Spectra of S-Box 1 BFs. 100 

Table 6.5 Faplacian Spectra of Cayley Graphs Associated with S-Box 1 BFs. 101 

Table 6.6 Cryptographic Properties of S-Box 1 BFs. 101 

Table 6.7 S-Box 2 in Binary Form. 104 

Table 6.8 ANF and Degree of S-Box 2 BFs. 105 

Table 6.9 Walsh Spectra and Walsh-Hadamard Spectra of S-Box 2 BFs. . . . 106 

Table 6.10 Cayley Graph Spectra of S-Box 2 BFs. 106 

Table 6.11 Faplacian Spectra of Cayley Graphs Associated with S-Box 2 BFs. 107 

Table 6.12 Cryptographic Properties of S-Box 2 BFs. 107 

Table 6.13 Properties of Cayley Graphs Associated with S-Box 2 BFs. 109 

Table 6.14 S-Box 3 in Binary Form. 109 

Table 6.15 ANF and Degree of S-Box 3 BFs. 110 

Table 6.16 Walsh Spectra and Walsh-Hadamard Spectra of S-Box 3 BFs. ... Ill 

Table 6.17 Cayley Graph Spectra of S-Box 3BFs. Ill 

Table 6.18 Faplacian Spectra of Cayley Graphs Associated with S-Box 3 BFs. 112 

Table 6.19 Cryptographic Properties of S-Box 3 BFs. 112 

Table 6.20 Properties of Cayley Graphs Associated with S-Box 3 BFs. 113 

Table 6.21 S-Box 4 in Binary Form. 113 

Table 6.22 ANF and Degree of S-Box 4 BFs. 114 

Table 6.23 Cayley Graph Spectra of S-Box 4 BFs. 115 

Table 6.24 Faplacian Spectra of Cayley Graphs Associated with S-Box 4 BFs. 116 


xii 




















Table 6.25 Cryptographic Properties of S-Box 4 BFs. 116 

Table 6.26 Properties of Cayley Graphs Associated with S-Box 4 BFs. 117 

Table 6.27 S-Box 5 in Binary Form. 117 

Table 6.28 ANF and Degree of S-Box 5 BFs. 118 

Table 6.29 Cayley Graph Spectra of S-Box 5 BFs. 119 

Table 6.30 Laplacian Spectra of Cayley Graphs Associated with S-Box 5 BFs. 120 

Table 6.31 Cryptographic Properties of S-Box 5 BFs. 120 

Table 6.32 Properties of Cayley Graphs Associated with S-Box 5 BFs. 121 

Table 6.33 S-Box 6 in Binary Form. 121 

Table 6.34 ANF and Degree of S-Box 6 BFs. 122 

Table 6.35 Cayley Graph Spectra of S-Box 6 BFs. 123 

Table 6.36 Laplacian Spectra of Cayley Graphs Associated with S-Box 6 BFs. 124 

Table 6.37 Cryptographic Properties of S-Box 6 BFs. 124 

Table 6.38 Properties of Cayley Graphs Associated with S-Box 6 BFs. 125 

Table 6.39 S-Box 7 in Binary Form. 125 

Table 6.40 ANF and Degree of S-Box 7 BFs. 126 

Table 6.41 Cayley Graph Spectra of S-Box 7 BFs. 127 

Table 6.42 Laplacian Spectra of Cayley Graphs Associated with S-Box 7 BFs. 127 

Table 6.43 Cryptographic Properties of S-Box 7 BFs. 128 

Table 6.44 Properties of Cayley Graphs Associated with S-Box 7 BFs. 128 

Table 6.45 S-Box 8 in Binary Form. 129 

Table 6.46 ANF and Degree of S-Box 8 BFs. 130 

Table 6.47 Cayley Graph Spectra of S-Box 8 BFs. 131 

Table 6.48 Laplacian Spectra of Cayley Graphs Associated with S-Box 8 BFs. 131 


xiii 























Table 6.49 Cryptographic Properties of S-Box 8 BFs. 132 

Table 6.50 Properties of Cayley Graphs Associated with S-Box 8 BFs. 132 

Table 6.51 The DBS Functions with Ramanujan Cayley Graphs. 136 

Table 6.52 The Nearest Affine Functions to the DBS S-Box BBs. 138 

Table 7.1 Results of PC(2) Check on S-Boxes 1 and 2. 140 

Table 7.2 Results of PC(2) Check on S-Boxes 3 and 4. 140 

Table 7.3 Results of PC(2) Check on S-Boxes 5 and 6. 140 

Table 7.4 Results of PC(2) Check on S-Boxes 7 and 8. 141 

Table 7.5 Results of SAC Check on DBS S-Boxes. 142 












List of Acronyms and Abbreviations 


AES Advanced Encryption Standard 
ANF algebraic normal form 
ATM automated teller machine 
BF Boolean function 
CBC cipher block chaining 
CFB cipher feedback 
CTR counter 

DES Data Encryption Standard 

DFT discrete Eourier transform 

ECB electronic codebook 

EFF Electronic Erontier Eoundation 

FIPS Federal Information Processing Standards 

GAC global avalanche criteria 

IBM International Business Machines 

IP initial permutation 

IV initialization vector 

LFSR linear feedback shift register 

NBS National Bureau of Standards 

NIST National Institute of Standards and Technology 

NPS Naval Postgraduate School 


XV 




NSA National Security Agency 

OFB output feedback 

PC propagation criteria 

pc personal computer 

RSA Rivest-Shamir-Adleman 

SAC strict avalanche criteria 

S-Box substitution box 

SPN substitution-permutation networks 

TB terabytes 

U.S. United States 

WHT Walsh-Hadamard transform 

WT Walsh transform 

XOR exclusive or 


XVI 



Acknowledgments 


First and foremost, I would like to thank God for allowing me to enjoy the many benefits 
of life. My accomplishments would not be possible without Him. 

Second, I thank the United States Army, in particular the United States Military Academy 
at West Point, for selecting me to attend graduate school and pursue an advanced degree. I 
know that this opportunity is not afforded to everyone, and I am grateful for the knowledge 
acquired through my studies. 

Third, I would like to thank the faculty of the Applied Mathematics department at the 
Naval Postgraduate School. Their professionalism, knowledge, and compassion made this 
an extremely enjoyable experience. In particular, I am grateful for my thesis advisor. Dr. 
Pantelimon Stanica, who not only spent hours laboring through this thesis, but he is by far 
one of the most intelligent and brilliant mathematicians I have ever met. I am also thankful 
for Drs. Ralucca Gera and Craig Rasmussen, whose help in editing my thesis is appreciated 
and whose love of graph theory helped me to enjoy a deeper understanding of the material. 
Additionally, I am indebted to Dr. David Canright, whose help in writing Maple code saved 
me numerous hours in computation. I also thank Lecturer Bard Mansager, who helped 
integrate me into the program and provided mentorship on countless occassions. 

Fourth, I thank my peers in the department for their friendship, support, and guidance. Spe¬ 
cial thanks go out to Lieutenant Colonels Randy Boucher and Jon Roginski, who provided 
their wisdom in mentoring me through the maze of professional development. 

Last but certainly not least, I thank my family for sticking by my side. My children, Hannah 
and Luke, are the two accomplishments I am most proud of in life. My wife, Lindsay, is 
the most loyal person I have ever met. In addition to being my best friend, she is the best 
mother for our children. 


RLTW! 




THIS PAGE INTENTIONALLY LEET BLANK 


xviii 



CHAPTER 1: 

Introduction 


Cryptography is often a word that the mainstream population associates with code break¬ 
ing or secret military intelligence work performed in an underground bunker—this thinking 
no doubt promoted with movies such as The Da Vinci Code, Enigma, and National Trea¬ 
sure. While there is perhaps a part of these stereotypes involved, cryptography is much 
more than this. The mathematics behind cryptography are what keep many of our daily 
communications secure, i.e., safe enough from prying eyes. 

Graph theory is an even more abstract concept for most people. The word graph typi¬ 
cally generates a mental image so ancient that most people would rather not return to mid¬ 
dle school algebra class, where basic functions were plotted on a two-dimensional plane. 
Graph theory, however, is an emerging field that studies relationships between objects from 
a mathematical perspective. 

1.1 Motivation 

The motivation for this thesis came from a desire to connect two prominent areas of discrete 
mathematics—cryptography and graph theory. The two specific areas linked in this work 
are the Data Encryption Standard (DES) and spectral graph theory. DES has been analyzed 
extensively since its inception in the 1970s, mainly in its weaknesses for the purpose of 
breaking the cipher and improving future algorithms. Some of the prominent researchers 
of DES include Carlisle Adams, Eli Biham, Ernest Brickell et ah, Don Coppersmith, Marc 
Davio, Martin Heilman, Mitsuru Matsui, Adi Shamir, and Stafford Tavares, just to name 
a few. On the other hand, spectral graph theory arose circa the same timeframe as the 
DES, with the intent of deducing properties of a graph from the spectra of its associated 
matrices. By this, we mean that a graph can be represented by a matrix, whose eigenvalues 
and eigenvectors can be analyzed to determine information about the graph. 

Within cryptography, the author was particularly motivated by the works of Claude Carlet, 
Thomas Cusick, and Pantelimon Stanica, who continue to solidify the role of Boolean func¬ 
tions (BEs) in cryptography. While BEs have their place in logic and circuit design, their 
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use in cryptography continues to be a topic of relevance. Within spectral graph theory, the 
classic references are written by Norman Biggs, Dragos Cvetkovic et ah, and Fan Chung. 
The more recent work by Stanley Florkowski [1], however, was particularly influential in 
directing the author’s focus to something tangible rather than theoretical. 

A BF has a graphical representation, known as a Cayley graph, that can be analyzed in 
terms of its spectrum. The term spectrum will become clearer in Chapters 4 and 5, but note 
that a BF has a representation in terms of a type of spectrum and a graph also has a spectral 
representation by its eigenvalues. Anna Bernasconi and Bruno Codenotti linked these two 
spectra with their discovery that a relation exists between the Walsh spectrum of a BF and 
the spectrum of its associated Cayley graph. 

Through this point, no one has attempted to analyze the DBS in terms of Cayley graph 
spectra. Some have analyzed the aspects of BFs and their use in block ciphers such as 
DBS, but no one has converted all eight substitution boxes (S-Box) in DBS to a set of BBs 
and analyzed the spectra of their corresponding Cayley graph adjacency matrices. 

1.2 Research Questions 

DBS is a block cipher utilizing a substitution step via the aforementioned boxes. These 
boxes form the nonlinear part of the algorithm and thus contribute to the overall security of 
the cipher. With this in mind, we aim to explore the following questions: 

1. What are the BB representations of the DBS S-Boxes? 

2. What are the cryptographic properties of these BBs? 

3. What properties of the associated Cayley graphs can be deduced from spectral graph 
theoretic techniques? 

4. Is there a relationship between the Cayley graph spectra and the cryptographic prop¬ 
erties of the associated BBs? 

5. Do the DBS S-Box BBs satisfy the propagation criteria (PC) of degree k? 

1.3 Thesis Organization 

Through the process of investigating the research questions, this thesis is organized in the 
following manner: 
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• Chapter 2 discusses the necessary background in algebra and number theory. 

• Chapter 3 reviews basic concepts of cryptography and also discusses the organization 
of DBS. 

• Chapter 4 discusses BFs and their application in cryptography. 

• Chapter 5 reviews graph theory terminology and introduces spectral graph theory. 

• Chapter 6 examines the DBS S-Boxes as BBs and their associated Cayley graphs. 

• Chapter 7 extends the notion of propagation criteria to the DBS BBs. 

• Chapter 8 summarizes the results of this thesis and includes areas for future work. 
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CHAPTER 2: 

Preliminaries on Algebra and Number Theory 


This introductory chapter and the several that follow establish the foundation upon which 
the mathematics presented in this thesis depend. The algebra presented here goes beyond 
our usual idea of arithmetic, in that we consider familiar operations and sets on an ab¬ 
stract level. This chapter is by no means all-inclusive and the interested reader should 
consult some of the more classic texts on abstract algebra by John Fraleigh [2] and Thomas 
Hungerford [3]. 

2.1 Number Theory 

Number theory is primarily the study of the set of integers and their properties [4]. These 
topics essentially bridge the gap between basic arithmetic and advanced algebra. The defi¬ 
nitions presented in this section are taken from [3]. 

2.1.1 Divisibility 

A set is an unordered collection of objects. We assume that the reader is familiar with some 
basic mathematical sets of numbers as follows: 


N = {0,1,2,3,...,} 

Z = {...,-2,-l,0,l,2,...,} 

Q= 


Definition 2.1.1. Let a,b eZ with a^O. Then a divides b, or a is a divisor of b, or Z? is a 
multiple of a if b = ak for some integer k. We denote this hy a\b. 

Definition 2.1.2. A nonzero integer p is called prime if its only divisors are ±1 and ±p. 

EXAMPLE 2.1.3. -5, 3,11, and 29 are prime but 24 is not. 

Definition 2.1.4. Let a,b eZ, not both zero. The greatest common divisor (gcd) of a 

and b is the largest d gZ that divides both a and b. Equivalently, d is the gcd of a and b 
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provided that: 


(0 d\a and d\b', 

(ii) c\a and c\b c <d. (for all c G Z+) 

EXAMPLE 2.1.5. The gcd of 8 and 36 is 4. 

Definition 2.1.6. If gcd{a,b) = 1, then a and b are called relatively prime. 

EXAMPLE 2.1.7. 9 and 25 are relatively prime. 

2.1.2 Congruence 

This section continues the concept of divisibility, while also introducing congruence and 
congruence classes. Once again, these definitions and concepts are taken from [3]. 

Definition 2.1.8. Let a, Z?, n G Z with n> 0. Then a is congruent to b modulo n provided 
that n\{a — b) ox n\{b —a). Note: This is written as a = b (mod n). 

EXAMPLE 2.1.9. 23 = 11 (mod 6) since 6|(23 - 11). Also, 4 = 13 (mod 3) since 
31(13-4). 

IfwealterthesecondpartofExample2.1.9,notethat4= 16 (mod 3),4= 19 (mod 3),4 = 
22 (mod 3),... This allows us to define the notion of a congruence class. 

Definition 2.1.10. Let a, n G Z with n> 0. The congruence class of a modulo n (denoted 
[a]) is the set of all integers congruent to a modulo n, i.e., 

[a\ = {b\b&'L and b = a (mod n)}. 

EXAMPLE 2.1.11. In congruence modulo 4, [3] = {..., —9, —5, —1,3,7,11,15,19,...}, 
sometimes also denoted [3]4. Also, note that [3]4 = [—1]4. In some circles, [3]4 is also 
called the residue class of 3 mod 4. 

The next logical question is how many congruence classes are there for a given n? After 
all, [3]4 = [—1]4 = [7]4 = [11]4 = ■ ■ ■, but [2]4 ^ [ 3 ) 4 . The answer lies in Definition 2.1.12. 


6 




Definition 2.1.12. The set of all congruence classes modulo n is a partitioning of the set Z 
into n distinct equivalence classes, given by 


Z„ = {[ 0 ],[l],[ 2 ],...,[n- 1 ]}. 

EXAMPLE 2.1.13. Z 4 = {[0], [1], [2], [3]}. This means that the elements of Z 4 are con¬ 
gruence classes and not integers. Here are the elements of Z 4 : 

[0] = - 8 ,-4,0,4, 8 ,12,...} 

[!] = {...,-7,-3,l,5,9,13,...} 

[2] = {...,-6,-2,2,6,10,14,...} 

[3] = {...,-5,-1,3,7,11,15,...}. 

The important distinction here is that while each congruence class in Z„ has infinitely 
many elements [3], there are only a finite number of distinct congruence classes in Z„. 
Thus, while it is true that [—3]4 = [1]4 = [ 5)4 = [ 9 ) 4 , the distinct classes of Z 4 are 
[0],[l],[2],and[3]. 

2.1.3 Modular Arithmetic 

Ever since grade school, we have performed operations on the integers. The integers, 
however, are an infinite set, and the set we are interested in, Z„, is a finite set. We would 
like a way to perform operations on Z„, and this is where modular arithmetic emerges. 

Returning to the idea of congruence, recall that a = b (mod n) «^=^ n\{a — b). This number 
n is called the modulus, and in the context of this congruence, mod represents a relation on 
the integers [4]. We now introduce some new notation that is closely related. 

If we were asked to compute ^ in grade school, most of us resorted to long division 

2 . 

4)71 

8 

3 
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In traditional grade school terminology, 4 is the divisor, 11 is the dividend, 2 is the quotient, 
and 3 is the remainder. In the context of abstract algebra and cryptography, the remainder 
(sometimes called the residue) is often the object that garners the most attention. 

Definition 2.1.14. The notation r = a mod d, where a is the dividend, d is the divisor, and 
r is the remainder, represents the smallest positive remainder when a is divided by d. 

EXAMPLE 2.1.15. 11 mod 4 = 3, —7 mod 4=1,7 mod 4 = 3, 136 mod 13 = 6. Note: 
—7 mod 4=1 since —1 = 4(—2) + 1 as a result of the division algorithm (omitted by 
assumption of reader knowledge). 

The notation modn is a function, but is closely related to the mod defined in congruence. 
The relationship is given by Theorem 2.1.16 [4]. 

Theorem 2.1.16. Let a,b G Z and let n G (set of positive integers). Then a = b 
(mod n) «^=^ a mod n = b mod n. 

Proof: a = b (mod n) n\{a — b) a — b = nk,kGZ{*). 

Then a = nk + b, so we let r = a mod n. Then 3q E Z such that a = nqr,0 < r < n by 
the Division Algorithm. Now substitute a = nq + r into (*). 

nq-\-r — b = nk 
n{q — k)+r = b, {q — k)EZ 
r = b mod n 

b mod n = a mod n 

(^) Let r = a mod n = b mod n. Then a = nq\ + r and b = nq 2 + r. Solving these equations 
for r, we have r = a — nq\ and r = b — nq 2 . Therefore, 

a — nqi = b — nq 2 
a — b = nqi —nq 2 

a-b = n{qi-q2), {qi-q2)EZ 
n\{a — b) 
a = b (mod n) 
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Armed with this knowledge, we can now define arithmetic on The two operations that 
we are concerned with are addition and multiplication. 

Definition 2.1.17. Addition and multiplication in Z„ are defined by 

[a]n + [b]n = [a + b]n = {a + b) mod n 
[a]n ■ [b]n = [ab]n = {a-b) mod n. 

EXAMPLE 2.1.18. In Z6, [3] + [2] = [5], [4] + [5] = [3], and [3] ■ [2] = [0], 

2.2 Abstract Algebra Concepts 

The remaining portion of this chapter will focus on the abstract algebra concepts at the 
heart of cryptography. For a truly deep understanding of these topics, the reader should 
consult an algebra reference with a cryptographic focus such as Fraleigh [2] or Rudolf Lidl 
and Harald Niederreiter [5]. 

2.2.1 Binary Operations 

We first need to define a few operations on mathematical sets. It is assumed that the reader 
has some basic knowledge of set theory. 

Definition 2.2.1. Let A and B be sets. The Cartesian product of A and B is given by the 
set A X B, defined [2] as 


AxB = {{a,b) : aeA and b G B}. 

EXAMPLE 2.2.2. If A = {a,b} and B = {y,z}, then A x B = {(a,y), (a,z), {b,y), {b,z)}. 

For the purposes of upcoming material, we will often be concerned with the Cartesian 
product of two sets which are the same, i.e., A x A. Consider Z, the set of integers, and the 
familiar operation of addition. If we take two arbitrary integers, say u and v, and perform 
addition on them, we get back another integer w (of course w may or may not be equal to u 
or v). We have just defined, albeit informally, a binary operation on Z. 

Definition 2.2.3. A binary operation [2] on a nonempty set S is a function mapping SxS 
into S, given mathematically as f : S x S ^ S. 
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This operation is symbolized by *, to indieate any general funetion satisfying the definition. 
For example, addition is not the only binary operation on Z (multiplieation as well). In 
other words, assuming (a, b) e S x S, a binary operation * on 5 assigns (a,b) to a*b e S. 

2 . 2.2 Groups 

We now turn our attention to one of the oldest algebraie systems in mathematies— groups. 
Group theory, or the study of groups, was introdueed by Evariste Galois. In this sense, 
group theory is also known as Galois theory. Galois was a 19th eentury Freneh mathemati- 
eian who lived just 20 years, meeting his fate following a pistol duel. Despite spending the 
majority of his teen years trying to gain aeeeptanee into sehool and failing, Galois did man¬ 
age to reeord his diseoveries. One of these results involved the solvability of an algebraie 
equation of high order using radieals; the method beeame known as group theory [6]. 


Definition 2.2.4. A group is a nonempty set G together with a binary operation * that 
satisfies the following axioms: 

1. Closure: If a,b & G, then a*b e G.^ 

2. Associativity: {a*b)*c = a*{b*c) \/ a,b,c E G. 

3. Existenee of an identity: 3 e G G sueh that 'i a eG, a*e = a = e*a. 

4. Existenee of an inverse: 'i a E G,^ a' E G sueh that a*a' = a'*a = e. 

A group is abelian (sometimes ealled eommutative) if it also satisfies the following 
axiom: 

5. Commutativity: a*b = b*a \/a,bEG. 


EXAMPLE 2.2.5. (Z, -|-) is an abelian group. The sum of any two integers is another 
integer; the addition is assoeiative. The identity element in Z is 0 and the inverse element 
is just the element of opposite sign. Also, addition of integers is eommutative. 

EXAMPLE 2.2.6. ({[0], [1], [2],..., [n — 1]}, [a -f (?]„) is a group under addition modulo n. 

'Some texts do not include this axiom since closure is an inherent property of a binary operation. 


10 




EXAMPLE 2.2.7. The set of all nxn matrices with real entries under matrix multiplica¬ 
tion is not a group. In particular, the zero matrix has no inverse. 

With regard to Examples 2.2.5 and 2.2.6, (Z, -h) is an example of an infinite group because 
it contains infinitely many elements. The second example is di finite group because it con¬ 
tains a finite number of elements. The number of elements in a finite group G is the order 
of the group [5]. For those familiar with set theory, this term is analogous to the cardinality 
of a finite set. We also sometimes refer to a group under addition as an additive group, 
while a group whose binary operation is multiplication is called a multiplicative group. 

A convenient way to display a group under its binary operation is via the Cayley table, 
sometimes also called a group table or addition/multiplication table. In this table, the ele¬ 
ments of a group G are placed along the top row and leftmost column, and the (/, j) entry 
in this table represents at * bj. For example. Table 2.1 displays the group Z 5 under addition 
modulo 5. 


- 1 - 

[ 0 ] 

[ 1 ] 

[ 2 ] 

[3] 

[4] 

[ 0 ] 

[ 0 ] 

[ 1 ] 

[ 2 ] 

[3] 

[4] 

[ 1 ] 

[ 1 ] 

[ 2 ] 

[3] 

[4] 

[ 0 ] 

[ 2 ] 

[ 2 ] 

[3] 

[4] 

[ 0 ] 

[ 1 ] 

[3] 

[3] 

[4] 

[ 0 ] 

[ 1 ] 

[ 2 ] 

[4] 

[4] 

[ 0 ] 

[ 1 ] 

[ 2 ] 

[3] 


Table 2.1: The Cayley Table for Z 5 . 


There is much more detail in the realm of group theory, but that is beyond the knowledge 
required for this thesis. The interested reader should consult [2,5] for a deeper look. 

2.2.3 Rings 

We now move on to the concept of a ring, in which two binary operations and additional 
axioms are now defined. While the origins of a ring date back to the mid-19th century, the 
formal definitions of a ring and ring theory did not appear until the early 1900s. William R. 
Hamilton first described a complex number system coined the quaternions, in which he at¬ 
tempted to apply vector algebra to 3-dimensional space. This formed the basis upon which 
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subsequent mathematieians attempted to study finite eommutative and noneommutative al¬ 
gebras. Israeli mathematieian Abraham Fraenkel and Japanese Shezo Sono are eredited 
with defining the eoneept of a ring in 1914 and 1917, respeetively. Emmy Noether and 
Emil Artin formally theorized rings in the 1920s, and ring theory took off from there with 
the works of Wolfgang Krull and others [6,7]. 


Definition 2.2.8. A ring {R,+,-) is a nonempty set R together with two binary operations 
+ and ■, whieh we eall addition and multiplication, sueh that the following axioms are 
satisfied [2,5]: 

1. {R, -t-) is an abelian group. 

2. Multiplieation is assoeiative, i.e., {a-b) ■ c = a - {b ■ c) \/ a,b,c e R. 

3. The distributive laws hold, i.e., V a, b, c, G R, we have a - (b + c) = a-b + a-c and 
{b + c) ■ a = b ■ a + c ■ a. 


EXAMPLE 2.2.9. The set of integers Z is a ring with the usual addition and multiplieation. 
Verifieation of the axioms is left to the reader. 

Some rings have additional speeial properties that are worth noting. A ring is commutative 
if the multiplieation operation ■ is eommutative. Also, a ring is ealled a ring with identity 
if R eontains a multiplieative identity, i.e., there exists an element e sueh that a - e = a = 
e -a W a E R. Thus, Z is a eommutative ring with identity [5]. 

EXAMPLE 2.2.10. The set of even integers with the usual operations is a ring; in faet it 
is a eommutative ring. The set of odd integers is not a ring sinee elosure under addition is 
not satisfied. 

EXAMPLE 2.2.11. The sets Q, C, and M are all eommutative rings with identity. 

2.2.4 Fields 

The interesting thing about fields is that mathematieians were studying them well before 
the formal eoneept of a ring was defined, yet we often define fields as a speeial type of 
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ring. Niels Abel and Galois inferred the idea of afield with their work on the solvability 
of equations circa the 1830s; it was not until 1879, when Richard Dedekind published an 
explicit definition for a field, that stimulation in the subject arose. Dedekind focused on 
infinite sets, whereas Heinrich Weber discussed the notion of finite fields in 1893. It was 
Galois, however, that perhaps influenced the development of field theory the most. As a 
result, finite fields are also known as Galois fields [2,6]. 

Definition and Examples 

Definition 2.2.12. A field F is a commutative ring R with identity e fiO also satisfying the 
following axiom [3]: 

★ V a 7 ^ 0 G R, the equation ax = e has a solution in R [every nonzero element has a 
multiplicative inverse]. 


An alternative definition of a field given by Fraleigh [2] and Lidl and Niederreiter [5] is 
perhaps more appealing to the mathematically inclined: 


Definition 2.2.13. (i) A ring with a multiplicative identity is called a ring with identity, 

the identity is often called unity. 

(ii) A ring in which multiplication is commutative is called a commutative ring. 

(iii) A ring is an integral domain if it is a commutative ring with identity e 7 ^ 0 in which 
ab = 0 a = 0 or b = 0. 

(iv) A ring is called a division ring if the nonzero elements of R form a group under 
multiplication (every nonzero element has a multiplicative inverse in R). 

(v) A commutative division ring is called a field. 


Breaking down Definition 2.2.13, a field is a ring on which two binary operations (called 
multiplication and addition) are defined, also containing a unique zero element and identity 
e fiO. Since a field is a commutative division ring, its nonzero elements form an abelian 
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group under multiplication. Part (iii) of the definition guarantees that a field has no zero 
divisors, since all nonzero elements have a multiplicative inverse. 

EXAMPLE 2.2.14. Q, M, and C are all fields. However, Z is not a field since not all 
nonzero elements have a multiplicative inverse, e.g., 3.r = 1 has no solution in Z. 

EXAMPLE 2.2.15. In general, Z„ is not an integral domain and thus not a field, but when 
n = p a prime, Zp is an integral domain and thus a field (proof omitted). For example, in 
Z 4 we have 2-2 = 0 but 2 ^ 0 . 

Finite Fields 

Example 2.2.15 from above illustrates a concept which is at the heart of cryptography, that 
of the finite field. A finite field is a field that contains only finitely many elements. While 
the theory of finite fields is very deep and mathematical, the background presented here is 
enough to give the reader a baseline of knowledge. Lidl & Niederreiter [5] devote an entire 
text to the subject. 

Recall that we denoted the set of all congruence classes modulo n as Z„. By noting that 
this set is also the set of possible remainders when a positive integer is divided by n, we 
can also refer to this as the set of residue classes modn. We now define an ideal, which is 
a subring 7 of a ring R such that for all a G 7 and r G Rwe have ar E J and ra G 7. Note, 
for 7 to be a subring, 7 must be closed under + and ■ and also satisfy the ring axioms. 
An ideal 7 partitions a ring R into disjoint sets (called cosets); these disjoint sets are the 
residue classes modulo 7. The entire set of residue classes modulo 7 form a ring with the 
operations induced from the operations of R (proof omitted), called the residue class ring 
of R modulo 7, symbolized by R/7 [5]. Depending on the source, some texts also call this 
R/J the factor ring (or quotient ring) of R by 7 [2]. 

When we consider our example from above, Z„, the residue class ring Z/ (n) contains the 
following elements: 

[ 0 ] =0 + (n),[l] = l + {n),...,[n - l]=n - l + {n). 

Instead of (n), some texts also use the notation nZ to represent the ideal of Z in the factor 
ring ZjnZ. The notation (n) is the same as nZ; it is the principal ideal generated by n. 
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i.e., the set of all multiples of n in Z. While not shown here, Z„ is isomorphie to Z/nZ, 
i.e., there is an injeetive and surjeetive homomorphism between the two (preserving the 
respeetive operations). Sinee Z„ is a field if and only if n = p a prime, then the faetor ring 
Z/nZ is a field if and only if n is a prime [2]. 

The residue elass fields Z/ (p) where p is a prime form the basis for the finite fields used 
in this thesis. We would like a more eonvenient representation and usage of these residue 
elass fields. A mapping is a eonvenient way to transfer the strueture from one set to an¬ 
other [5]. The set without strueture will be denoted by GF{p) = {0,1,... — 1}, where 

this is a set of integers with p elements. Let (j) : 'Ll{p) —)■ GF{p) be a bijeetive mapping 
defined by ^([a]) = a for a = 0,1,...,p — 1. It is not too diffieult to show that (j) is also 
a homomorphism, i.e., ^i[a] + [b]) = ^{[a]) + ^{[b]) and ^([a][h]) = ^{[a\)^{[b]). Sinee 
this mapping is a bijeetive homomorphism, it ean also be ealled an isomorphism, whereby 
the strueture on GF{p) is indueed by (j). Moreover, sinee Z/ (p) is a field when p is prime, 
then GF{p) is a field indueed by (j). Note, we are not stating that the elements of Z/ (p) and 
GF(p) are the same, only that the strueture of a finite field is transferred between the two. 

The finite field GF(p) is so important that it is ealled the Galois field of order p after 
E. Galois. For eoneiseness, Galois fields are also denoted by Fp and will heneeforth be 
referred to as sueh in this thesis. Sinee the elements of Fp are ordinary integers, arithmetie 
in the field is earned out modulo p. 

Consider the following example for F 2 = {0,1} in Table 2.2. 


-1- 

0 

1 


0 

1 

0 

0 

1 

0 

0 

0 

1 

1 

0 

1 

0 

1 


Table 2.2: The Addition and Multiplieation Tables for F 2 , after [5]. 


There are a few more things to say about Galois fields, but first we need a short buildup. 
We define the characteristic of a ring as the least positive integer n sueh that na = 0 for 
all elements a in the ring (if sueh n exists, otherwise the ring has eharacteristie 0) [2]. For 
example, the ring Z„ has eharaeteristie n and the ring Q has eharaeteristie 0. 
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Let F be a field and K a subfield of F (a subset that is also a field and closed under the usual 
operations). Then F is an extension field of K [5]. Now, if E is an extension field of F with 
dimension n as a vector space over F (see next subsection), then E is di finite extension of 
degree n over F. If a finite field F has q elements, then E has elements assuming E 
is a finite extension of degree n over F . We can also regard F as a vector space (see next 
section) of dimension n over F. 


If F is a finite field of characteristic p a prime, then E contains exactly p" elements for some 
positive integer n [2]. This result follows from the previous paragraph. This result implies 
for every prime p and every positive integer n, there exists exactly one finite field with p" 
elements, i.e., GF{p'^) = Fp« exists, and moreover, it is unique up to an isomorphism. 

Polynomials 

When we think of our usual idea of a polynomial, we remember something like x^ + 2x+l 
from high school. In general, a polynomial can be written as ao + aix-\ -h or as a 

n 

sum Y. We now expand this concept to rings. 

i=0 

Let F be a ring. A polynomial over R is an expression of the form 

n 

f{x) = '^aix’' = aQ-\-aix-\ -( 2 . 1 ) 

1=0 


where n is a nonnegative integer and the at are elements of R [5]. The symbol x is no longer 
called a variable, but rather an indeterminate', x does not belong to R. Since F is a ring, we 

n 

also need to define its two binary operations, addition and multiplication. Let f{x) = Y ^ A* 

i=0 


n , n , 

and g(v:) = Y bix\ The sum of f{x) and g(v:) is given by /(.r) +g(a:) = Y {cii + bi)x\ Now, 

i=0 1=0 

n , m . n+m 

let f{x) = Y and g(v:) = Y bjxf Then the product is given by f{x)g{x) = Y ^kX^, 
1=0 7=0 k=0 

where Ck= Y 

i+j=k 


This ring F together with the addition and multiplication operations above is called the 
polynomial ring over F [5] and is denoted by F[v:]. 

EXAMPLE 2.2.16. In ¥ 2 [x], the expansion of (jc+ I)^ is (.r+ I)^ = {x+ I)(.r+ I) = 
x^ + 2x+l =x^+l and in general, {x + a)^" — x^’' + a^". 
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For cryptography purposes, we are more interested in polynomials over fields but the ap¬ 
proach is somewhat different. Let F be a field. Then F[x] is an integral domain but not a 
field since v does not have a multiplicative inverse in F[x], i.e., in F[x], xf{x) = 1 has no 
solutions [2]. We can get around the fact that F[.r] is not a field because every integral do¬ 
main has a field of quotients. This field of quotients is denoted by F{x) and consists of all 
quotients of the form f{x)/g{x), with f{x) and g(v) polynomials in F[x] and g(v) 7 ^ 0 [2]. 
F{x) is also called the field of rational functions over F; its elements are called rational 
functions. 

EXAMPLE 2.2.17. In the most general sense, F[x] is the ring of polynomials with coeffi¬ 
cients in some arbitary field F. F 5 [.r] consists of all polynomials whose coefficients are in 
F5. 

We now proceed to develop and define two more concepts which are essential to crypto¬ 
graphic ixxnciiom-irreducibility and primitivity. Since F[x] has a field of quotients, it is 
natural to expect operations such as division and factoring are present. In fact, they are 
and just like with integers, the division algorithm can be applied to polynomials in F[x]. 
Likewise, a greatest common divisor also exists in F[.r] as well as a least common multiple. 
The notion of a prime polynomial also exists and the concept is analogous to the integers. 
Two polynomials / and g are relatively prime if gcd{f,g) = 1. Similarly, a polynomial 
p{x) is prime if it has the property that it divides the product f{x)g{x) only when it divides 
one of f{x) or g(.r). In other words, the only factors of p{x) have either the same degree as 
p or degree zero. 

EXAMPLE 2.2.18. p{x) = x^ + \ is prime in M[.r] since it does not factor into a product 
f{x)g{x), where f{x) and g(jc) are polynomials with real coefficients. It is, however, not 
prime (i.e., composite) in C[v]! 

Definition 2.2.19. A polynomial p &F[x] is irreducible overF (or irreducible in F[x], or 
prime in F[x]) if p has positive degree and p = be with b^c e F[x] implies that either bore 
is a constant polynomial. 

In other words, an irreducible polynomial cannot be factored further except for a trivial 
factorization, i.e., p cannot be expressed as a product gh both of lower degree than the 
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degree of p [2,5]. It should be apparent that the prime elements of F[x] are the irredueible 
polynomials over a field F. Example 2.2.20 illustrates the idea of irredueibility. 

EXAMPLE 2.2.20. _ 2 e Q[.r] is irredueible over the field Q of rationals sinee it has no 

zeros in Q. However, .r^ — 2 is reducible over M sinee it faetors in M[.r] into 

(x+V2) (x-V2). 


With the notion of an irredueible polynomial, we ean now develop the idea of primitive 
polynomials. First we need to define the order of a nonzero polynomial over a finite field, 
taken from Lidl et al. 

Definition 2.2.21. Let / G F^[.r] be a nonzero polynomial. If /(O) ^ 0, then the least 
positive integer e for whieh f{x) | — I) is ealled the order of / and denoted by ord(/) or 

ord(/(;c)). 

EXAMPLE 2.2.22. Let f{x) = x"^ +x^ + I be a polynomial in F 2 [a:]. The order of / is 15, 
sinee {x^ +x^ + I)|(.r^^ — I). Note that, sinee we are in F 2 , subtraetion performs the same 
as addition and we may perform long division to eheek divisibility. 


{x'^ + x^ + I)|(.r^^ - I) 


45 


+ I 


x^+x^ + l 


= x^^ +x^ +x^ +x^ + x^ +.r^ + I 


Now we ean present the notion of a primitive polynomial. Primitive polynomials are used 
in multiple eryptographie applieations, sueh as generating maximal-period linear feedbaek 
shift registers (LFSRs) or pseudorandom numbers. Primitive polynomials are also used in 
many well-known algorithms sueh as Advaneed Eneryption Standard (AES). 

Definition 2.2.23. A polynomial / G F^ [.r] of degree m is a primitive polynomial over the 
field F^ if / is monie, /(O) 7 ^ 0, and ord(/) = q’^ —1. 

Note that in Definition 2.2.23 [5], the term monic means that the eoeffieient of the highest 
degree term is one. A primitive polynomial is a monie, irredueible polynomial over F^ and 
has a root a G F^m that generates the entire multiplieative group of F^m. This is why many 
applieations sueh as AES use primitive polynomials —they generate the entire Galois field 
used in the algorithm. Although it is true that a primitive polynomial is irredueible, it is not 
always true that an irredueible is primitive. 
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EXAMPLE 2.2.24. The polynomial in Example 2.2.22 is irredueible and primitive. As 
a eheek, / is monie sinee the eoeffieient of is one. We now eheek that 0 is not a zero 
(aka root) of the polynomial, and we see that /(O) = 0 + 0+ l = l. Finally, we require that 
ord(/) = 2^ — 1, which was verified as 15 previously. 

2.2.5 Vector Spaces 

Most readers are familiar with the concept of a vector space from a typical course in linear 
algebra. In a common text such as Steven Leon [8], a vector space is defined with the 
natural Euclidean approach. A vector space has two defined operations: addition and scalar 
multiplication, whereby these operations can be performed on any vector within the vector 
space. Consider the familiar two-dimensional world, or x — y plane denoted by Any 
two vectors in can be added together to produce another vector in any vector in 
can be multiplied by a scalar in M to also yield another vector in This is just one 
example of a vector space in which closure of addition and scalar multiplication is satisfied. 
Formally, Leon defines a vector space in the following manner. 

Definition 2.2.25. Let L be a set on which the operations of addition and scalar multipli¬ 
cation are defined. By this we mean that, with each pair of elements x and y in V, we 
can associate a unique element x -|- y that is also in V, and with each element x in V and 
each scalar a G M, we can associate a unique element ax in V. The set V, together with 
the operations of addition and scalar multiplication, is said to form a vector space if the 
following axioms are satisfied: 

Al. x-|-y = y-l-x for any x and y in V. 

A2. (x -|- y) -f z = X -|- (y -(- z) for any x, y and z in V. 

A3. There exists an element 0 in V such that x -f 0 = x for each x G V. 

A4. For each x G V, there exists an element —x in V such that x -|- (—x) = 0. 

A5. a(x -f y) = ax -f- ay for each scalar a and any x and y in V. 

A6. (a -f j8)x = ax -f /3x for any scalars a and j8 and any x G V. 

A7. (aj8)x = a(j8x) for any scalars a and /3 and any x G V. 

A8. 1 ■ X = X for all x G V. 

This is a fine definition for purposes of linear algebra, but it can be generalized using the 
concepts of groups and fields. 
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Definition 2.2.26. [2] Let F be a field. A vector space over F is an additive abelian group 
V together with a scalar multiplication of each element of V by each element of F on the 
left, such that for all a,b &F and a,j8 G V, the following conditions are satisfied: 

aa e y. 

^2- a{ba) = {ab)a. 

Y-i- {a-\-b)a = {aa)F{ba). 

Yi,. = (^dcx,') F ■ 

Y5. la = a. 


In Definition 2.2.26, the elements a,b of an arbitrary field F are scalars, while a,/3 are 
vectors. 

EXAMPLE 2.2.27. The additive abelian group of all 2 x 2 matrices over the reals with the 
usual scalar multiplication involving matrices is a vector space over M. 

EXAMPLE 2.2.28. The complex numbers C form a vector space over the real numbers. 

The dimension of a vector space V is the number of linearly independent vectors needed 
to span or generate V. With this in mind, the dimension of is two. A more applicable 
example to Definition 2.2.26 follows. 

EXAMPLE 2.2.29. Let E be a field with E an extension field of F . Also, let a G E, where 
a is an algebraic over F . By algebraic, we mean that there exists a non-zero polynomial 
f{x) G F[x] such that f{a) = 0. Now suppose that the degree of a over F is n. Then we 
can express the vectors in F(a) as a linear combination such that {1, a, ..., } are 

linearly independent in F(a) over F . This set of vectors also spans F {a), and thus it has 
dimension n. 
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CHAPTER 3: 
Block Ciphers 


This chapter introduces cryptography and the necessary information on block ciphers. In 
particular, an overview of the DBS is presented with an eye towards each S-Box within 
the algorithm. For more information on block ciphers and other symmetric algorithms, the 
reader should refer to [9-11]. 


3.1 Introduction 

Cryptography is the process of designing communication systems over nonsecure channels. 
The word cryptography is often used interchangeably with cryptology, though the latter is 
technically the general word for the study of communication over nonsecure channels [12]. 
Historically, we might say that the origins of cryptography date back to primitive man and 
his method of communication with others. The first true example of cryptography, how¬ 
ever, probably lies with the ancient Egyptians and their use of hieroglyphics. No matter 
the civilization nor the timeline, the need to protect information has always been present. 
The latter half of the 20th century introduced the digital computer, which ultimately made 
cryptography a required part of everyday life. Unfortunately, as technology advances, so 
do the means by which adversaries break these systems (known as cryptanalysis). As 
stated in [11]: “Cryptography is the only practical means for protecting the confidential¬ 
ity of information transmitted through potentially hostile environments, where it is either 
impossible or impractical to protect the information by conventional physical means.” 


3.2 Secure Communications 

The need for cryptographic algorithms to protect data arises from the basic communication 
scenario between two (or multiple) people or entities. Cryptography introduces an algo¬ 
rithm or method to convert a message into an encrypted message and vice versa, so that 
two parties can communicate securely and not have their message read by another party. 
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3.2.1 Background 

Consider the following seenario refereneed in Figure 3.1. In this classie figure, two parties, 
Aliee and Bob, want to oommunieate with eaeh other. Meanwhile, a potential adversary 
named Eve (Eve for eavesdropper), wants to intereept this message. 


Encryption Decryption 



Figure 3.1: The Basic Communication Scenario for Cryptography, after [12]. 

Alice could send Bob a message in the clear, i.e., unencrypted, but Eve could easily in¬ 
tercept it. Instead, Alice creates a plaintext message and encrypts it using an encryption 
key. Once encrypted, the message is now referred to as ciphertext. Bob receives the cipher- 
text and decrypts it back to plaintext using a decryption key. Keeping the contents of the 
message secure from Eve not only depends on the encryption/decryption method used, but 
more so on the keys. Encryption and decryption are encompassed in a cipher. 

The algorithm and the keys together comprise a cryptosystem. With the exception of the 
one-time pad^, every cryptosystem can theoretically be broken. Thus, great care is taken to 
create a cryptosystem that is mathematically too difficult to break in any reasonable amount 
of time. Claude Shannon introduced the concepts of confusion and diffusion in regards to 
good cryptosystem design. Confusion means that it is too difficult for an adversary to detect 
the outcome of the ciphertext from a one character change in the plaintext. In an algorithm 
with good confusion, the relationship between the plaintext/key and the ciphertext is often 
complex. On the other hand, diffusion means that few changes in the plaintext create many 
changes in the ciphertext. Thus, good diffusion implies that Eve needs a large portion of 
ciphertext to determine the algorithm and conduct a statistical attack [13]. 

^In a one-time pad, the plaintext is encrypted one character at a time with a random nonrepeating set of 
key characters. The key characters are added to the plaintext characters modulo 26; the key is only used once 
and then discarded [9]. 
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3.2.2 Types of Algorithms 

There are two types of cryptographic algorithms: symmetric and public key. In a symmetric 
algorithm, the encryption and decryption keys are known to both sender and receiver [12]. 
Most of the time the keys are the same and other times they are closely related by a simple 
transformation. Examples of symmetric algorithms include the DES and the AES. In 
contrast, a public key algorithm uses two distinct keys. One of these keys, called the public 
key, is freely available to any party. The other key, called the private key, is kept secret; each 
party has their own private key that corresponds to the public key. It is virtually impossible 
for an adversary to deduce the private key in a reasonable amount of time given the public 
key. In a typical system, the encryption key is the public key and the decryption key is 
the private key [9]. The most widely known public key cryptosystem is Rivest-Shamir- 
Adleman (RSA). 

Symmetric algorithms can be classified as block ciphers or stream ciphers. In a block 
cipher, the message is partitioned into predetermined block sizes, fed through the algorithm, 
output in blocks, and concatenated for the receiver to interpret. In a stream cipher, each 
character in the plaintext is encrypted separately [13]. Section 3.3 will cover more on the 
topic of block ciphers, in particular DES. 

3.2.3 Keys 

The encryption/decryption keys are extremely important to the security of a cipher. Algo¬ 
rithms are generally public knowledge, therefore anyone with a brain can figure out how a 
plaintext message moves through the algorithm. However, it is a combination of the algo¬ 
rithm complexity and key length that ultimately determine how secure a cryptosystem will 
be. 

If Eve knows the key, then she can read all messages encrypted with that key. Eve could 
conduct an exhaustive attack by trying all possible keys, but if the key is long enough, this 
could be infeasible. Therefore, it is generally true that a longer key is more difficult to 
break than a shorter one. Eor example, AES uses a variable key length of 128, 192, or 256 
bits, where each bit is either a zero or one. Thus, the key space for a 256 bit AES key is 2^^^ 
possible keys, or roughly 1.1579 x 10^^. Eor some perspective, the Earth is approximately 
4.54 billion years old (4.54 x 10^) while the universe is roughly 13.8 billion years old. 
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From a purely theoretical standpoint, let us assume we have a processor that can perform 
10^ encryptions per second. If a collection of 1000 processors attempts an exhaustive 
search of all 2^^^ ^ 3.4 x 10^^ keys for a 128-bit key, then it would take roughly 10^^ years 
to search this space. Even if we had access to one of the world’s fastest computers in China 
that operates at 33.86 x 10^^ floating point operations per second [14], at 300 operations 
per encryption this would take roughly over 95 quadrillion years to exhaust the key space. 

3.3 Block Ciphers 

The history of the term block cipher is somewhat vague. Many classical and historical 
cryptosystems are deemed block ciphers, but the modern-day idea of a block cipher was 
not cemented until the 1970s. Some examples of early block ciphers include: Vigenere (~ 
1550), Playfair (1854), and Hill (1929). In 1973, the National Bureau of Standards (NBS), 
the current National Institute of Standards and Technology (NIST), issued a request for 
a cryptosystem to become the new national standard for encryption. NBS required this 
standard to be a block cipher, essentially initiating the formal study of block ciphers. DES 
and AES are the two most common examples of block ciphers. 

3.3.1 Definition and Design 

Eormally, a block cipher is a pair of functions [15] E and D\ 

E : X V„ —)■ (3.1) 

D : X Vn — )■ V„. (3.2) 

In other words, a block of plaintext of bit length n is combined with a key of bit length 
k, producing an encrypted block of ciphertext of bit length n. Similarly, the decryption 
function takes an n-bit ciphertext with a k-bit key and maps the combination into an n-bit 
plaintext. In traditional math lingo, E and D undo each other and are thus inverses. 

Most modern block ciphers operate in iterated fashion, meaning the blocks of plaintext pass 
through a round function f for a set number of rounds. The purpose of this is to increase 
algorithm security by repeatedly using the same function. Each round uses a different 
key derived from the previous one, further increasing the security. Eigure 3.2 depicts the 
situation just described. 
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Figure 3.2: General Structure of a Block Cipher, from [15]. 


There are various ways to design a cryptosystem to achieve an adequate level of security 
in encryption. The two main design techniques are the Feistel system and substitution- 
permutation networks (SPN). A Feistel system is depicted in Figure 3.3, while SPN is 
displayed in Figure 3.4. 



Figure 3.3: General Structure of a Feistel System, from [16]. 


The Feistel system is named after the German born cryptographer Horst Feistel. In the 
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Feistel cipher, the first round is initiated with a split of a plaintext block into two halves, 
called the left and right. The right side and the round key pass through the round function, 
the result of which is then combined with the left side via the logical exclusive or (XOR) 
(in binary, this is equivalent to addition modulo 2). The result of this XOR then swaps with 
the preceding right side and becomes the new right side for the next round. This process 
then iterates over a set number of rounds. After the last round, the resulting left and right 
parts become the ciphertext block. Since this process must be invertible, decryption works 
in the same manner but in the the reverse direction. 



Figure 3.4: Substitution-Permutation Network, after [15]. 


In the SPN, the encryption algorithm makes use of two basic cryptographic operations: 
substitution and permutation. SPNs are a type of product cipher because they involve more 
than one transformation, i.e., substitution and permutation, essentially mixing confusion 
and diffusion over and over again. The plaintext block and the initial key are combined 
via XOR, the result of which is then subdivided into smaller blocks and passed through a 
substitution step. Each of the boxes in Figure 3.4 labeled with an S is known as a substi- 
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tution box (S-Box), and these introduee confusion in the cipher. In the substitution step, 
each character is replaced with another character. A permutation step follows substitution, 
in which the bits are permuted or re-ordered. Permutation generates diffusion in the cipher. 
Following the permutation step, the resulting block is combined with the next round key 
via XOR and the process iterates. 

3.3.2 Advantages and Disadvantages 

One of the primary drawbacks to any symmetric algorithm is key distribution [13]. If Alice 
wants to talk to Bob using a symmetric algorithm, then Alice and Bob need to have the 
same key. If Alice and Bob are on separate continents, however, key distribution could 
prove to be difficult. In addition, if Alice wants to talk with Charles, then she needs a 
different key than the one used to converse with Bob. Key generation is also an issue, but 
this process will be discussed more in depth in Section 3.4. Block ciphers also present their 
own advantages and disadvantages as displayed in Table 3.1. 



Block Encryption Algorithms 

Advantages 

• High diffusion. Information from the plaintext is diffused into sev¬ 
eral ciphertext symbols. One ciphertext block may depend on sev¬ 
eral plaintext letters. 

• Immunity to insertion of symbols. Because blocks of symbols are 
enciphered, it is impossible to insert a single symbol into one block. 
The length of the block would then be incorrect, and the decipher¬ 
ment would quickly reveal the insertion. 

Disadvantages 

• Slowness of encryption. The person or machine using a block ci¬ 
pher must wait until an entire block of plaintext symbols has been 
received before starting the encryption process. 

• Error propagation. An error will affect the transformation of all 
other characters in the same block, although there are techniques 
of self-healing when implementing the block cipher; (See the next 
section.) 


Table 3.1: Analyzing Block Algorithms, after [13]. 
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Additionally, while block ciphers can be used in a variety of modes, they are often more 
difficult to analyze mathematically than stream ciphers. However, block ciphers are often 
more suitable for software implementation because they avoid bit by bit computations and 
work on blocks of information that can be implemented in computers very efficiently [9]. 

3.3.3 Modes of Operation 

Recall that a block cipher operates on a block of plaintext. Issues arise, however, when the 
message size differs drastically from the block size. For example, a block cipher acting on 
a block size of 128 bits needs help if the message size is only 20 bits. To account for the 
varying needs of users and their messages, block ciphers can operate in a variety of modes. 
The most common modes of operation are listed below: 

• electronic codebook (ECB) 

• cipher block chaining (CBC) 

• cipher feedback (CFB) 

• output feedback (OFB) 

• counter (CTR). 

Electronic Codebook Mode 

ECB is the most common mode of operation for a block cipher. Given an encryption 
function Ek, a plaintext block P is subdivided into smaller words P = ■ ,Fl] and 

produces the ciphertext C = [Ci,C 2 ,... ,Cl], where Cj = ExiPj) is the encryption of Pj 
using the key K. In other words, each of the words in the plaintext is encrypted using the 
same key [10,12]. Since each plaintext block encrypts independently of another, this mode 
is easy to work with and favors parallel processing on multiple machines. Additionally, 
errors in transmission remain within the associated block and do not affect other blocks. 
However, the major weakness with ECB is that identical blocks of plaintext encrypt to 
identical blocks of ciphertext. Due to redundancies in most communication, an adversary 
can detect repetitions and build a codebook without even knowing the key [9]. 

Cipher Block Chaining Mode 

CBC incorporates the method of chaining, a feedback mechanism that resembles a recur¬ 
sive operation. The encryption of a given block depends on the encryption of previous 
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blocks. Using notation from the previous paragraph, encryption is defined as 


Cj=EK{Pj®Cj^,). (3.3) 

Thus, as evidenced in Figure 3.5, the plaintext is XORed with the previous ciphertext block. 
Equation 3.3 allows for a value of Cq, which is some chosen initial value represented as an 
initialization vector (IV). The purpose of an IV is to make each message unique, thus 
alleviating the problem of identical plaintext messages encrypting to the same ciphertext 
messages [9]. 



Figure 3.5: Cipher Block Chaining Mode, from [17]. 


Cipher Feedback Mode 

CFB allows for encryption/decryption of a set of characters smaller than the block size. In 
this sense, CFB is a way to implement a block cipher as a stream cipher. In general, CFB 
operates on a k-bit mode, where k is less than or equal to the block size. The plaintext 
P = ■ ■ •] is broken down into k-bit chunks, where each Pj has k bits. Encryption 

is once again started with an IV, which can be public, but it is unique for each block of 
encryption. Once the IV is encrypted, the left most k-bits of this result are XORed with 
the first k-bits of the plaintext. The result of this operation is the first chunk of ciphertext. 
For the next stream of encryption, this k-bit chunk of ciphertext is then appended to the 
right side of the IV, shifting all bits k positions to the left (left most k-bits are discarded). 
Encryption then proceeds in the same manner. Mathematically, encryption is defined for 
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j — 1,2,3,..on an n-bit plaintext message in the following manner: 


Oj=Lk{EK{Xj)) 

(3.4) 

^ 

(3.5) 

Xj+i=R„_k{Xj)\\Cj. 

(3.6) 


Lj^ refers to the leftmost A:-bits and Rn k refers to the rightmost n — k bits; Xi is the IV and 
II refers to eoneatenation. Figure 3.6 depiets CFB on a 5-bit mode. 



Cl 


C2 


(a) Encryption 
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C2 


(b) Decryption 



Pm 


Figure 3.6: 5-bit Cipher Feedback Mode on 64-bit Plaintext, from [18]. 
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Output Feedback Mode 

Figure 3.7 depicts OFB on a 5-bit mode. OFB is another method of implementing a block 
cipher in a stream mode. Just like in CFB, the IV is encrypted; the leftmost k-bits of this 
result (call this Oj) are extracted and XORed with the first k-bits of the plaintext, producing 
the first k-bits of ciphertext. For the next stream, rather than use the ciphertext as the input 
to the next IV, OFB takes Oj and appends this chunk to the right side. Mathematically, 
encryption is defined for y = 1,2,3,..., on an n-bit plaintext block in the following manner: 


Oj=Lk{EK{Xj)) 

(3.7) 

'j+i=R,^k{Xj)\\Oj 

(3.8) 

^ ® Oj- 

(3.9) 
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Figure 3.7: v-bit Output Feedback Mode on 64-bit Plaintext, from [18]. 


The operation in both CFB and OFB involving appending, shifting, and discarding bits is 
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very similar to the way that a LFSR works. LFSRs ean quiekly produee a pseudorandom 
sequenee of bits defined by a linear reeurrenee relation. LFSRs have wide usage, espeeially 
in military eryptography and for more on the subjeet eonsult [9,12]. 

While CFB and OFB operate in similar manners, there are glaring differenees with regards 
to error propagation. In CFB, an error in the plaintext will affeet all outputs of eiphertext 
due to the reeurrenee relation. An error in the eiphertext, however, ean be flushed out 
sinee eventually the eiphertext bloek with the error(s) will be shifted left until disearded. 
The problem here is that deeryption produees nonsensieal plaintext until errors are flushed. 
In OFB, errors in the eiphertext do not propagate; bits of eiphertext that are eorrupted 
translate to eorresponding bits in the plaintext with eorruption. Sinee sueeessive rounds 
are not built using eorrupted eiphertext, errors do not repeat into other rounds. OFB ean 
be used offline sinee future streams do not depend on the plaintext message being present. 
However, various professionals sueh as Robert Jueneman have shown that k-bit OFB mode 
is inseeure for values of k less than the bloek size [19]. The key stream Oj has to eventually 
repeat, but the eoneern is that this repeat happens with the same key. When k is equal to the 
bloek size n, the eyele length of key streams averages to 2” — 1. When k <n, this average 
eyele length drops to 2"/^, making it a mueh shorter time to find the repetition [9]. 


Counter Mode 

CTR mode is similar to OFB but the output of the eneryption is not used in the next stream. 
Instead, the eneryption input veetor is ineremented by some eonstant, typieally one, and 
used in the next register. The mode starts with an IV of length equal to the bloek length and 
is enerypted with key K. The leftmost k-bits of this result are XORed with the first k-bit 
ehunk of plaintext to produee the first k-bit pieee of eiphertext. A new eneryption stream 
is then ereated by adding one to the IV and the proeess iterates. Note how the new veetor 
does not depend on the eneryption from the previous output. This process is depicted in 
Figure 3.8. 
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Figure 3.8: Counter Mode, from [18]. 


Mathematically, encryption in CTR mode is given by 


Xj=Xj-, + l 

(3.10) 

Oj=Lk{EK{Xj)) 

(3.11) 

^ ® ^j- 

(3.12) 


3.4 The Data Encryption Standard 

DBS is perhaps the most well-known block cipher of the last century. It was for several 
decades the standard for data transmission in electronic commerce. Although it is no longer 
secure enough for much of our business needs in the United States (U.S.), DBS is still in 
use as a primary system in some parts of the world and even for lower level applications in 
the U.S. such as secure speech [20]. 
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3.4.1 History 

Although cryptographic algorithms have been in use for quite awhile, times of intensive 
military eonfliet have neeessitated the need for seeure eommunications. The world wars 
forced militaries to ereate ciphers to faeilitate communication. The breaking of the infa¬ 
mous Zimmermann Telegram aeeelerated the U.S. entry into WWI. The German Enigma 
machine was in use for almost 20 years before the British and Polish were able to deerypt 
its messages in WWII. Claude Shannon gave us further insight into making cryptographie 
algorithms stronger following the wars, in 1949.^ Furthermore, with computers coming 
to the forefront in the 1950s and 1960s, the need to protect data in the eommereial seetor 
became apparent [11]. 

Various private industries began earnest work into the development of strong bloek ciphers 
in the late 1960s [11]. Due to wars and the need for protecting government data, eryptology 
generally fell to the hands of the U.S. Department of Defense and Department of State. The 
rise in eommereial industry, however, engendered the need for a publie encryption system 
to be ereated. The NBS was eharged with the task of finding this algorithm. 

At the time. International Business Machines (IBM) was already involved in cryptography 
and algorithm development. Aecording to D. Coppersmith, IBM was asked in the early 
1970s by Lloyd’s of London insurance to develop an eneryption seheme for proteeting 
automated teller maehine (ATM) data [21,22]. Offieially, NBS issued a publie request 
for a national eryptographie standard in the 1973 Federal Register. NBS speeified nine 
major design principles, some of whieh ineluded: ability to provide a high level of seeurity, 
available to all users, adaptable to multiple applications, exportable, security depending on 
the key and not the seerecy of the algorithm, etc. [9,13]. Few products were submitted, and 
none of them met sufficient criteria for a standard, thus NBS issued a seeond request in the 
1974 Federal Register. 

IBM was already working on an algorithm when NBS issued their request. At two separate 
sites (Kingston and Yorktown Heights, NY), the IBM team eonsisting of Roy Adler, Don 
Coppersmith, Horst Feistel, Edna Grossman, Alan Konheim, Carl Meyer, Bill Notz, Lynn 
Smith, Walt Tuchman, and Bryant Tuckerman developed an algorithm they dubbed Lucifer 

^C. Shannon wrote arguably the most influential paper of the 20th century on cryptography in 1949, 
"Communication Theory of Secrecy Systems." 
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[9,13,21]. IBM submitted Lucifer to NBS in 1974, who forwarded the algorithm to the 
National Security Agency (NSA) for review. After some modifications, NSA returned a 
version which was approved and published by NBS in 1975 as DBS. After two years of 
critique and criticism, NBS adopted DBS as the national standard in 1977 [9,12]. 

Brom its publication in 1975, DBS has been embroiled in controversy. Birst, the proponents 
of Lucifer were dismayed that the NSA reduced the key size from 128 bits to 56. Second, 
the design considerations of DBS were not released at the time of publication. This worried 
some because many thought that either IBM or the NSA had built a “trapdoor” into the al¬ 
gorithm, i.e., a secret weakness to allow only them to be able to break the system. However, 
Coppersmith argues that this was not the case; IBM was circumspect and disclosure of this 
information was to prevent cryptanalysis [21]. Binally, the NSA “characterized DBS as one 
of their biggest mistakes” [9]. The NSA approved the standard with the notion that DBS 
would be a hardware-only protocol; NBS issued the standard with enough information so 
that programmers could write DBS software. In this respect, DBS did more for the field 
of cryptanalysis, and it came to no surprise that the next government standard algorithm 
(Skipjack) was classified [9]. 

DBS was officially published on January 15, 1977, as Bederal Information Processing Stan¬ 
dards (BIPS) Publication 46. NBS required that the standard be recertified and validated 
every five years after that. In 1983, DBS passed the test easily. In 1988, however, the NSA 
had objections to the standard and demurred that it would not take long for DBS to be bro¬ 
ken. Unfortunately, there were no other viable alternatives available and businesses were 
regularly using DBS for encryption needs [9]. The standard was recertified and updated on 
January 22, 1988, as BIPS Publication 46-2. DBS was again recertified in 1993. By 1997, 
however, several methods were known for attacking DBS like systems, thus initiating the 
search for a replacement. DBS was recertified on October 25, 1999, as BIPS Publication 
46-3, which also encouraged the use of Triple DBS (equivalent of a 112-bit key) to secure 
data [12]. With successful cryptanalysis occurring in 1999, NBS (now the NIST) convened 
to select a replacement. Binally, in November 2001 ABS was published but DBS would 
remain in place until its removal in May 2005. Bor almost 30 years, DBS was the national 
standard for encryption. 
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3.4.2 Algorithm Overview 


DES is a symmetric block cipher operating on blocks of 64-bit plaintext. It is a Feistel 
type system whose round function utilizes SPN operations. The key is 56 bits in length, 
although it is expressed as a 64-bit string; every eighth bit is a parity check bit used for 
error detection and is usually ignored (see a text on coding theory for more on this subject). 
Since encryption must be invertible, a 64-bit block of plaintext encrypts to a 64-bit block 
of ciphertext. Thus, encryption and decryption can be visualized [23], respectively, as 

KEY (56 bits) +Plaintext{64 bits) = Ciphertext{64- bits) (3.13) 

KEY (56 bits) -|- Ciphertext{64- bits) = Plaintext{64 bits). (3.14) 


Outline 


Figure 3.9 depicts the DES algorithm, consisting of 16 rounds. A 64-bit block w of plaintext 
is sent through an initial permutation (IP), to obtain wq = IP{w). This new block is then 
split into a left and right half, each 32 bits long, i.e., wq = LqRq. For 16 rounds, the 
operations are the same. The right half goes into the round function / while also becoming 
the left half of the next round. The left half is XORed with the output of the round function, 
and the result of this XOR becomes the right half of the next round. Mathematically, this 
is given for 1 < z < 16 as 


Li=Ri-i (3.15) 

R,=Li^iQ)f{Ri^uKi). (3.16) 

The notation Ki represents the zth key, but only 48 bits from the 56-bit key. After applying 
the 16th round function, the left and right halves are swapped, then go through an inverse 
permutation to obtain the ciphertext c = IP^^{Ri(,L\(,). 
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Initial Permutation 


The IP actually occurs before the start of the first round. It does not affect the security of 
DBS, but it also does not have any cryptographic significance. The best explanation is that 
the IP and inverse IP made data more easily readable by processors in the 1970s [9,12]. 
This step is essentially a table look up, read left to right and top to bottom. The IP is listed 
below in Table 3.2. For example, the 58th bit of w becomes the 1st bit of wq, the 50th bit 
of w becomes the 2nd bit of wq, 42nd bit of w becomes the 3rd bit of wq, etc. 


Initial Permutation 
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56 
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57 
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61 
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47 
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23 
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Table 3.2: DBS Initial Permutation, from [12]. 


Round Function 

Recall that the input to each round function is the right half of the block from the previous 
round. The function / has a number of steps within it, the first of which is another per¬ 
mutation called expansion. This expansion permutation is depicted in Table 3.3, whereby 
R is expanded to E {R). Note that this table has 48 bits of output operating on an input of 
32 bits. While the reader will note repetitions in the table, each input block generates a 
unique output block. The table reads the same as the IP, i.e., the 32nd bit of the input block 
becomes the 1st bit in the expansion block, etc. The purpose of expansion is not only to 
provide a block size equal to the key length for the XOR operation, but also to exhibit an 
avalanche ejfect. In other words, one bit affects two substitutions [9]. 
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Expansion Permutation 
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1 


Table 3.3: DES / Expansion Permutation, from [12]. 


After expansion, E{R) is then XORed with a 48-bit subkey Ki (key generation will be 
diseussed later). The result of E {R) © Ki is another 48-bit string, whieh is partitioned into 
6-bit ehunks labeled B\B2 ■B%. These Bj then go through a substitution step. Substitution 
is performed via S-Boxes, whereby the input to Sj is Bj. The input to each S-Box is a 6-bit 
string, while the output is a 4-bit string. Substitution will be discussed in greater detail in 
the next subsection. 

The outputs of the S-Boxes are eight 4-bit chunks, which are concatenated to form 
CiC 2 -"C 8 . This new string then goes through another permutation, sometimes known 
as the P-Box. The P-Box permutation is shown in Table 3.4. This operation completes the 
round function; the layout of the DES round function is displayed in Eigure 3.10. 


Permutation 
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Table 3.4: DES / Permutation, from [12]. 
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Figure 3.10: The DBS Function /, after [12]. 


Key Generation 

Recall that the initial DBS key is 64 bits in length, but every eighth bit is a parity check bit. 
Thus, ignoring the parity check bits, the key is reduced to a 56-bit string K. As was written 
in the original registers [24-26], the key bits are then permuted via Permuted Choice-1. 
Following the first permutation, the key is split into two halves of 28 bits each, K = CqDq. 
Co and Dq then undergo a left shift to obtain C\ and Di. Bach bit in Cq and Dq will shift 
left one place, but in general this is not the case. In general for 1 < / < 16, the left shift 
is described by C/ = LS,(C/-i) and Di = L5,(Z),_i), where LSi implies a left shift of one 






or two places in the ith round. Both the first permutation and left shift are deseribed in 
Tables 3.5 and 3.6. 


Permuted Choice-1 


57 

49 

41 

33 

25 

17 

9 

1 

58 

50 

42 

34 

26 

18 

10 

2 

59 

51 

43 

35 

27 

19 

11 

3 

60 

52 

44 

36 

63 

55 

47 

39 

31 

23 

15 

7 

62 

54 

46 

38 

30 

22 

14 

6 

61 

53 

45 

37 

29 

21 

13 

5 

28 

20 

12 

4 


Table 3.5: DBS First Key Permutation, after [12]. 



Number of Key Bits Shifted Per Round 

Round 

1 2 3 

4 5 

6 

7 

8 

9 10 11 12 13 14 15 16 

Shift 

1 1 2 

2 2 

2 

2 

2 

1 2 2 2 2 2 2 1 


Table 3.6: DBS Key Beft Shift Operation, from [12]. 


After the left shift, the 56-bit string QD,- undergoes one final permutation, denoted Per¬ 
muted Choice-2. This seeond permutation is sometimes also ealled a compression permu¬ 
tation because it seleets a subkey of 48 bits from the 56-bit input. The result from Per¬ 
muted Choiee-2 is Ki for eaeh round. This eompression is required beeause the other input 
to the XOR operation in the round funetion is the 48-bit expansion string E(R). Permuted 
Choiee-2 is displayed in Table 3.7. 


Permuted Choice-2 


14 

17 

11 

24 

1 

5 

3 

28 

15 

6 

21 

10 

23 

19 

12 

4 

26 

8 

16 

7 

27 

20 

13 

2 

41 

52 

31 

37 

47 

55 

30 

40 

51 

45 

33 

48 

44 

49 

39 

56 

34 

53 

46 

42 

50 

36 

29 

32 


Table 3.7: DBS Seeond Key Permutation, after [12]. 
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Inverse Initial Permutation 


The final operation in the DBS algorithm is another permutation, the inverse of the IP. 
After the last round, the left and right halves do not swap but instead concatenate to form 
the input for IP ^. The purpose of IP ^ is to ensure that the algorithm can be used for 
decryption. In decryption, the algorithm performs in the same manner, but the order of the 
keys is reversed [9,12]. IP ^ is displayed in Table 3.8. 


Inverse Initial Permutation 


40 

8 

48 

16 

56 

24 

64 

32 

39 

7 

47 

15 

55 

23 

63 

31 

38 

6 

46 

14 

54 

22 

62 

30 

37 

5 

45 

13 

53 

21 

61 

29 

36 

4 

44 

12 

52 

20 

60 

28 

35 

3 

43 

11 

51 

19 

59 

27 

34 

2 

42 

10 

50 

18 

58 

26 

33 

1 

41 

9 

49 

17 

57 

25 


Table 3.8: DBS Inverse Initial Permutation, from [12]. 


3.4.3 Substitution Boxes 

Recall that within the DBS round function, the input to the S-Boxes are the blocks 
B 1 B 2 -Bg. Bach of the Bj is assigned to the corresponding S-Box Sj, where Sj is a ta¬ 
ble lookup. The 6-bit input Bj is written as The end bits bi and b(, are 

used to determine the row of Sf determine the column of Sj. The entry in the 

corresponding row and column of the S-Box is the output. The output of the S-Boxes is 
C 1 C 2 ■ ■ - Cg, where Q is a 4-bit string. In this respect, each S-Box acts as a function map¬ 
ping six bits of input to four bits of output. In fact, the S-Boxes are represented by a special 
class of cryptographic functions called Boolean functions (more on this in Chapter 4). 

Table 3.9 displays the first S-Box in its traditional manner. Note that each row in the box 
contains the numbers zero through 15 exactly once. The reader might wonder how six bits 
of input will produce four bits of output given this form. Since a bit takes on the value of 
zero or one, the S-Box needs to be converted to its binary form (see Table 3.10). 


42 




S-Box 1 

ROW/COL 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

0 

14 

4 

13 

1 

2 

15 

11 

8 

3 

10 

6 

12 

5 

9 

0 

7 

1 

0 

15 

7 

4 

14 

2 

13 

1 

10 

6 

12 

11 

9 

5 

3 

8 

2 

4 

1 

14 

8 

13 

6 

2 

11 

15 

12 

9 

7 

3 

10 

5 

0 

3 

15 

12 

8 

2 

4 

9 

1 

7 

5 

11 

3 

14 

10 

0 

6 

13 


Table 3.9: DES Substitution Box 1, after [12]. 


S-Box 1 

ROW/COE 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1110 

0100 

1101 

0001 

0010 

nil 

1011 

1000 

01 

0000 

nil 

0111 

0100 

1110 

0010 

1101 

0001 

10 

0100 

0001 

1110 

1000 

1101 

0110 

0010 

1011 

11 

nil 

1100 

1000 

0010 

0100 

0100 

0001 

0111 

ROW/COE 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1010 

0110 

1100 

0101 

1001 

0000 

0111 

01 

1010 

0110 

1100 

1011 

1001 

0101 

0011 

1000 

10 

nil 

1100 

1001 

0111 

0011 

1010 

0101 

0000 

11 

0101 

1011 

0011 

1110 

1010 

0000 

0110 

1101 


Table 3.10: DES Substitution Box 1 in Binary Eorm, after [23]. 


As a simple example, suppose B\ =001101. The outer bits b\b^ = Ql determine the row 
in the S-Box. The inner bits = 0110 determine the eolumn. Thus, the entry 

in 5i is 13, represented as 1101 in binary. This is eonveniently eolored for the reader in 
Table 3.10. Coneatenating the remaining S-Boxes yields the desired 32-bit string for the 
next permutation. 

The seeurity of the DES algorithm rests primarily in the S-Boxes. Eor many years, their 
design was shrouded in mystery and to some extent this is true today. Although the boxes 
appear to be random shufflings of 32 rows of 16 integers, the IBM design team elaims that 
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the S-Box design is intended to thwart cryptanalysis. To investigate the claims of an alleged 

NS A trapdoor emplaced in the boxes, the U.S. Senate Select Committee on Intelligence 

conducted a classified review in 1978 and found no evidence of wrongdoing [9]. Although 

the findings were not released, the NSA confirmed that they did not tamper with the inner 

workings of DBS. This might appear a closed case on the surface, but several of the IBM 

designers added further controversy to the topic with their comments. Tuchman and Meyer 

both stated that the S-Boxes were built by IBM and unaltered by the NSA [9]. Coppersmith 

stated that the NSA “provided technical advice to IBM” and requested that S-Box design 

considerations be kept secret [21]. Alan Konheim stated, “We sent the S-boxes off to 

Washington. They came back and were all different. We ran our tests and they passed” [9]. 

Clearly, there is some doubt on the veracity of either side of the debate, but an interesting 

/2256 

question is why these eight S-Boxes were chosen out of the possible 8! I 

V 8 

The NSA has since revealed several design criteria relating to the construction of the DBS 
S-Boxes [27]. They are summarized as follows: 

PI. No S-box is a linear or affine function of the input. 

P2. Changing 1 input bit to an S-box results in changing at least 2 output bits. 

P3. S(jc) and 5(jc -f- 001100) must differ in at least 2 bits. 

P4. S(x) ^ S(x+1 lefOO) for any choice of e and /. 

P5. The S boxes were chosen to minimize the difference between the number of I’s and 
O’s in any S-box output when any single output bit is held constant. 

Several of the original Lucifer designers have also shed some light on the selection and 
design of the S-Boxes. Meyer wrote that as the number of design criteria increased, the 
selection of the appropriate S-Boxes was based on the number of terms in the correspond¬ 
ing boolean expressions [11]. According to Meyer, in order to enable implementation on a 
single logic chip, it was necessary to keep the number of terms around 52 and 53. Copper¬ 
smith also wrote a detailed explanation of the eight S-Box design principles that were used 
in the original specifications. These criteria are listed below: 

S-1 Bach S-box has six input bits and four output bits (largest size at the time to put on a 
chip). 

S-2 No output bit should be too close to a linear function of the input bits (output bits 
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cannot be a linear combination of the input bits over F 2 ). 

S-3 Each possible 4-bit output is attained exactly once as the middle four input bits range 
over their 16 possibilities. 

S-4 If two inputs differ in exactly one bit, then the outputs must differ in at least two bits. 

S-5 If two inputs differ in the two middle bits exactly, then the outputs must differ in at 
least two bits (if A/,j = 001100 , then \^Oij\ > 2). 

S-6 If two inputs differ in their first two bits and are identical in their last two bits, then 
the two outputs must not be the same. 

S-7 For any nonzero 6-bit difference between inputs. A// j, no more than eight of the 32 
pairs of inputs exhibiting A/,-y may result in the same output difference AO,-j. 

S-8 The case AO,-j = 0 follows (S-7) but with stronger restrictions. 


There are many similarities between the NSA list and Coppersmith’s, the most important 
property being nonlinearity. Linearity will be discussed more in Chapter 4, but a linear 
algorithm is trivially broken. If an adversary knows a few pairs of plaintext and ciphertext 
in a linear algorithm over the same field, the key can be recovered by solving a simple 
linear system. 

It is true that generic S-Boxes are chosen to resist differential and linear cryptanalysis. 
They are usually the only nonlinear part of a cipher, which harkens back to the DBS design 
criteria. Although the S-Box itself is a lookup table, for DBS it is a function mapping six 
input bits to four output bits. In this sense, “larger” S-Boxes are generally more resistant 
to statistical cryptanalysis [9]. “Larger” in this sense means a greater number of input 
and output bits associated with the mapping. The selection of S-Boxes in a cipher is a 
debatable issue. The DBS designers claimed that months of analysis went into the selection 
of the eight S-Boxes. Yet, a randomly designed S-Box can often achieve an adequate 
level of resistance to attacks. While intentionally designed S-Boxes typically show strong 
resistance to known attacks, their performance against unknown attacks is unknown. On 
the other hand, randomly selected S-Boxes of large size can provide an adequate level of 
security [9]. 
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3.4.4 Cryptanalysis of DES 


As was mentioned in Subsection 3.4.1, the security of DES has always been in question. 
The key space was obviously an immediate issue. With a 128-bit key, the key space is 
2^^^ ^ 3.4 X 10^^, but with a 56-bit key the key space is much smaller at 2^^ ^ 7.2 x 10^^. 
Although this is still a large number, famous cryptographers Whitfield Diffie and Martin 
Heilman (best known for their invention of public-key crypto) analyzed the results of a 
brute force attack in 1976 [9,28,29]. In a brute force attack, the cryptanalyst tries every 
possible key until ciphertext decrypts to meaningful plaintext. Diffie and Heilman theorized 
that a special parallel computer costing roughly $20 million could search the entire DES 
key space in 10^ seconds, or about one day [28,29]. Even though Diffie and Heilman 
acknowledged that this type of attack was only feasible for organizations like the NSA, 
they predicted that DES would be totally insecure by 1990 [9]. 

Heilman independently proposed another attack known as a chosen plaintext attack in 1980. 
In a chosen plaintext attack, the adversary is assumed to have control of the cipher but 
not the key. Thus, he can encrypt any number of plaintext messages and try to use the 
corresponding ciphertexts to find the key. In Heilman’s method, the cryptanalyst needs 
memory space to store the possible encryptions, and he can thus reduce the time to find the 
key. A single plaintext block is encrypted under all possible keys, with all 2^^ results being 
stored in memory. Then the cryptanalyst only has to insert the plaintext into the cipher, 
recover the corresponding ciphertext and look the key up in memory. Heilman proposed 
that a special computer could do this for $4-5 million, yielding 100 solutions per day [9,28]. 

Israeli cryptographers Eli Biham and Adi Shamir were the first to publicly announce the 
method of differential cryptanalysis in 1990. At the time, brute force was the best known 
possible attack against DES. Coppersmith argues that IBM knew of this technique and 
purposely designed the algorithm to defeat this technique. Regardless, differential crypt¬ 
analysis is another version of a chosen plaintext attack and it revolutionized the field of 
cryptanalysis. In this method, the cryptanalyst starts with two plaintext messages p and 
p'. These messages have a known difference, whereby the difference between two strings 
is found by the XOR, i.e., Ap = p © p'. Then the cryptanalyst can find the corresponding 
ciphertext blocks c and c', that also have a known difference Ac. Knowing this difference 
in ciphertext pairs allows the cryptanalyst to assign probabilities to different keys since 
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more pairs give information about the most probable key. Speeifieally, sinee we know 
the plaintext and eiphertext differenees, then we also know the differenee in the strings 
after the key mixing XOR step (sinee the XOR eaneels the key out when looking at the 
differenees). Knowing this differenee, eall it AA, we ean infer differenees in the strings fol¬ 
lowing the S-Boxes based on probabilities. These two differenees give information about 
the key [9,21]. As a toy example for why this works, eonsider Example 3.4.1. 

EXAMPLE 3.4.1. Assume that for some bloek eipher, the eryptanalyst Eve has aeeess 
to two messages p and p'. She runs these through the expansion box and arrives at p = 
01101 and p' = 11100. Thus, she ean easily ealeulate the differenee between these, i.e., 
01101 © 11100 = 10001. She then runs these bloeks through the key mixing step (reminder 
Eve does not know the key), yielding: 01101© Xi = 10010 and 11100©X, = 00011. Eve 
then ealeulates the differenee between these two outputs: 10010 ©00011 = 10001. Thus, 
Eve does not need any information about the key to obtain this. Now she ean run the 
bloeks through the S-Boxes and obtain this differenee, as well as through the P-box and get 
this differenee. Knowing all these differenees allows Eve to run more messages through the 
eipher and observe whieh of these are more probable than others, and she ean start guessing 
at keys. 

Biham and Shamir first utilized differential eryptanalysis on some redueed-round DES vari¬ 
ants. Eor a six-round DES, they showed that a ehosen plaintext attaek broke the algorithm 
in less than 0.3 seeonds on a personal eomputer (pe) [28,30]. If the eneryption maehine 
is not known, but the plaintext-eiphertext pair is known (called a known plaintext attack), 
then differential cryptanalysis reduces the space to 2^^ ciphertexts. Biham and Shamir also 
proved that “any reduced variant of DES is breakable by a chosen plaintext attack faster 
than via exhaustive search” [28]. A brute force attack on DES requires 2^^ operations, 
but Biham and Shamir broke DES with differential cryptanalysis using a chosen plaintext 
attack on 2^^ plaintexts. Only 2^^ ciphertexts are needed, however, to analyze and deduce 
the key. A known-plaintext attack on DES does not reduce the operation space. While 
a differential cryptanalytic method might seem like a massive breakthrough in cracking 
DES, this space is still unreachable in a feasible time period for most people and the costs 
are high. In fact, if an exhaustive key search of 2^^ operations is performed, assuming the 
DES algorithm can be implemented at a modem rate of 1.6 gigabytes/sec, then a chip can 
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perform ( 1.6 x 109)/64 = 2.5 X 10^ DES computations per second. Even at this rate, this 
would take 2^^/(2.5 x 10^) ^ 1.4 x 10^ ~ 45 years [31]. Even in a chosen plaintext attack 
with the ability to store the entire search space, the storage of plaintext-ciphertext pairs 
for example requires upwards of 280 terabytes (TB) [31]. Eor some perspective, the highest 
capacity hard drive on the commercial market right now has a 12 TB capacity and it costs 
over $1,600. 

At the CRYPTO ’93 Rump Session, researcher Michael Wiener proposed a design for a 
theoretical DES brute force cracker that could break the algorithm in an average of 3.5 
hours with guaranteed results in seven hours [9]. Wiener estimated the cost of this machine 
to be $1 million; the machine could conduct a key search in parallel so that 16 encryptions 
could occur simultaneously [10]. Although no one has publicly admitted to constructing 
such a machine, this financial cost would not be that expensive for a large organization, 
government, military, or country. 

In 1994, Mitsuru Matsui developed a new cryptanalytic technique called linear cryptanal¬ 
ysis. In his first paper, where he developed the method, Matsui reduced the search space to 
2^^ known plaintexts [32]. While this equaled the work of Biham and Shamir, Matsui im¬ 
proved the technique in his second paper and showed a complexity 2^^ [33]. This method 
was apparently unknown to the DES designers. 

Einear cryptanalysis is a known plaintext attack that essentially makes use of a linear func¬ 
tion of the input bits. There are two parts to linear cryptanalysis, which Matsui refers to as 
Algorithm 1 and Algorithm 2 [32]. The goal is to find a linear expression 


PIP2P3 ■■■Pm® C 1 C 2 C 3 ■■■Cm = kik2^3 ' '' (3.17) 

where the and hi are bit positions in the corresponding plaintext, ciphertext, and key, 
respectively, such that the expression holds with probability p ^ 0.5. The first step entails 
finding linear equations or approximations relating bits of the plaintext, ciphertext, and key 
via the S-Boxes. Once this linear relation is determined, the relation is then expanded to 
the other operations in the cipher to arrive at a linear approximation for the entire cipher. 
Eor example, perhaps the second bit of the plaintext XORed with the first and third bits of 
the ciphertext equal the fifth bit of the key, i.e., P 2 © ci © C 3 = ^ 5 . However, since the key 
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is unknown, the algorithm is initiated by setting the right hand side of Equation 3.17 equal 
to 0 or 1. Thus, we often start with the linear equation pi®P 2 ®---®c\®C 2 ®--- = 0- 

Once the expression is determined, the cryptanalyst applies all possible input and output 
values to the expression to determine the probability the equation is true. By counting the 
number of times that this equation is true for a given key bit value, we can deduce partial 
key bits based on probability. Specifically, we find T^ax and Tmin, where these represent 
the maximum and minimum number of plaintexts such that the left hand side of Equation 
2.17 is zero. If \Tmax ~ f I > \Tmm “ f |> then the partial key guessed is 0; if the inequality 
is flipped, guess 1 [32,33]. This guess acts on the notion that for a given key bit value, 
this T value is the most likely set of bits and the corresponding linear approximation holds 
with high probability. Although linear cryptanalysis reduces the complexity to 2^^, it is still 
highly theoretical and costly in time, money, and processing power. 

A more recent development with linear cryptanalysis was conducted by Pascal Junod in his 
master’s thesis. By implementing Matsui’s algorithm on a special processor optimized 
for linear cryptanalysis, Junod showed via experiment that given 2^^ known plaintext- 
ciphertext pairs, the complexity of attack could be reduced to 2^® [34]. 

Still, it would seem that the most popular approach to the cryptanalysis of DES is an ex¬ 
haustive search of the key space. In 1997, RSA Data Security issued a public challenge 
to decrypt a DES message and find the key, while also offering $10,000 to the winner. 
Computer scientist Rocke Verser took on the challenge and submitted the correct key in 
five months. Verser’s method included creating a program to search the key space that 
thousands of personally and corporate owned computers enlisted processing time on [12]. 

In 1998, the second challenge was issued by RSA Data Security, but this time the key was 
found in just 39 days. Eater that year, the Electronic Erontier Eoundation (EEE) started 
a project called “DES Cracker” in the summer of 1998, a computer built specifically for 
parallel computing. Eor just $250,000, EEE used DES Cracker to find a key in 56 hours 
[10]. In 1999, RSA Eabs issued the third challenge which was won by the DES Cracker 
again. With 100,000 computers networked across the globe, the correct key was found in 
22 hours and 15 minutes, testing over 245 billion keys per second [10]. This essentially 
spelled the end of DES as a national standard. Eor more information on how EEE designed 
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and implemented the DES Cracker, the reader should consult [12]. 

While brute force attacks as well as linear and differential cryptanalysis tackle the algorithm 
head on, there are other means to attack DES with known weaknesses. One such way 
depends on the key used. Some keys are better than others, and specifically a key made up 
of all Os or all Is or a 50/50 split is considered weak. Due to the method for key generation, 
a key with this makeup will be the same key used in every round of the algorithm [9]. 

The other potential weakness is in the actual design of the S-Boxes. Several analysts have 
studied the S-Boxes and shown interesting relationships. Davio et al. expanded on a point 
that Heilman made concering the redundancy in the fourth S-Box, S 4 . ^4 uses only one 
nonlinear function, and as a result, the last three output bits “can be derived from the first 
one by complementing some of the input bits and by complementing the second and third 
outputs under control of the variable [35]. Desmedt et al. proved that if the input 
to three neighboring S-Boxes was changed, then the output of the round function / will 
remain the same under certain conditions. In this set of conditions, the notation abodef 
represents the 6 -bit input to the S-Boxes [36]. The conditions listed below must all be 
satisfied: 

1. complement the inputs a, b and e of the middle three S-Boxes; 

2. complement the input c or J of the last S-Box; 

3. do not complement the input / of the middle three S-Boxes. 

Additionally, Shamir noted that by examining the XOR of the output bits, there was a clear 
imbalance. Take for example, 5i, denoted in Table 3.10. If we look at the entries where 
i'l © 52 © © ^^4 = 0, where si is a bit in the S-Box output, then there are seven such outputs 

on the left half of 5i versus 25 on the right half [9,37]. Similar such imbalance is apparent 
in the remaining S-Boxes. These are just features of the S-Boxes that an adversary could 
potentially take advantage of. 
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CHAPTER 4: 
Boolean Functions 


1 am now about to set seriously to work upon preparing for the press an account 
of my theory of Logic and Probabilities which in its present state I look upon 
as the most valuable if not the only valuable contribution that I have made or 
am likely to make to Science and the thing by which I would desire if at all to 
be remembered hereafter... 


~ George Boole in a letter to William Thomson, 1851 


The study of BFs is a relatively old diseipline dating baek to the 1800s. The study of 
BFs in eryptography, however, is fairly naseent. BFs owe their name to English mathe- 
matieian George Boole (1815-1864). Boole eame from a poor, working elass family that 
often struggled to make ends meet. The young Boole beeame interested in learning and 
even taught himself Greek by the age of 14. Boole was foreed into work at the age of 16, 
and subsequently beeame a teaeher at a small sehool in 1831. From that point forward, 
he remained in aeademia until his death in 1864. Boole’s most signifieant eontribution 
to mathematies eentered on two publieations in 1847 and 1854, in whieh he introdueed 
algebra into Aristotelian logie. The resulting Boolean algebra beeame a building bloek 
of modern day eireuit analysis and model theory. The definitive work on Boole’s life is 
Desmond MaeHale’s George Boole: His Life and Work, 1985, but a more eoneise synopsis 
is available in [38]. 


4.1 Boolean Algebra and Operations 

Perhaps the reader is familiar with the Boolean algebra used in logie and eireuit design. 
This algebra has two operations, namely addition and multiplication on the set {0,1}. The 
Boolean sum and product are given by Table 4.1. 
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These operations should not be confused with the ones we define for BFs. BFs also utilize 
a sum and a product, but they operate on vectors and not just single bits. While the product 
operation is the same, addition of BFs uses the XOR and has the truth table representation 
in Table 4.2 (note this is the same as addition in the finite field F 2 ). 


.ri 

-^2 

© (XOR) 

0 

0 

0 

0 

1 

1 

1 

0 

1 

1 

1 

0 


Table 4.2: Boolean Function Addition. 


For the world of BFs, we consider a vector space V„ of dimension n over the two-element 
field F 2 . Thus, elements of V„ are vectors with n components or in our case bits. We also re¬ 
quire this vector space to operate over F 2 . Given two vectors in V„, say a = (ai, ^ 2 ,..., a„) 
and b= {b\,b 2 ,---,bn),'^Q define addition over F 2 as [39]: 

a®b = {ai®bi,a 2 ®b 2 ,---,an®bn). (4.1) 

The bold font is only used to emphasize that these are vectors, but the notation a or d is 
sometimes also used. Likewise, we also define the scalar product of two vectors in V„ as: 

a-b = aibi®a 2 b 2 ®---®anbn. (4.2) 
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There is one more operation on BFs that we consider. This operation, denoted by resem¬ 
bles a concatenation. This is defined as = (aiZ?i,a 2 ^ 2 , ■ ■ ■ We can now define 

just exactly what a BF is. 


4.2 Definitions and Representations 


Definition 4.2.1. [39] A Boolean function / in n variables is a map from to F 2 , 


/:V„^F2. 


(4.3) 


Since the vector space V„ is over the finite field F 2 , the vectors in the domain of a BF are 
binary vectors. Thus, V„ can also be represented as the set F 2 of all binary vectors of length 
n considered as an F 2 vector space [40]. Given this alternate notation, other representations 
of a BF are 


/ : F^ ^ F 2 [40] (4.4) 

[41]. (4.5) 

It is often more convenient to use the notation given in Equation 4.4, thus we will stick with 
this for the remainder of the thesis. A BF can be uniquely represented by its truth table, 
a (0,l)-sequence defined as (/(vo),/(vi),... ,/(v 2 «-i)), where the /(v,) are the function 
output values and the V/ are ordered lexicographically [39]. 


EXAMPLE 4.2.2. Consider the truth table for the BF, / : F^ —)■ F 2 in Table 4.3. The 
unique representation for this BF is given by the column of outputs as a sequence, 
(0,0,1,1,1,1,0,1). Note that this output column is a binary string of length 2^. 
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-^3 

-^2 

-^1 

/ 

0 

0 

0 

0 

0 

0 

1 

0 

0 

1 

0 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

1 

1 


Table 4.3: Truth Table of a BE 


Example 4.2.2 displays the truth table representation for a BE, but it deserves some more 
explanation. A veetor in F 2 has n bits, and we label the input bits as xi for \ <i <n. The 
ordering of the xi is unimportant; we ean order them left to right or right to left. Eaeh row 
in the truth table represents a veetor in F^, and ordering here is important. The veetor spaee 
F 2 eontains 2” veetors, whereby eaeh veetor V; is displayed in a truth table by its binary 
representation b{i) of z, 0 < / < 2" — 1. Thus, in Table 4.3, the eight veetors in F^ are 
ordered lexieographieally by their binary representations from zero to seven. 

The other way to represent a BE is via a polynomial in 

¥2[xi,X2,...,Xn]/{x\-Xl,xl-X2,...,xl-Xn). 

This polynomial representation of a BE is referred to as the algebraic normal form (ANF), 
given as 

f{x)= f{xi,X 2 ,...,Xn)= XayWx'f], G F 2 , = (ai, 02 , • • •, a„). (4.6) 

aeF^ \i=l J 

Equation 4.6 [42] will make more sense in a bit, but first we need to define some more 
terms. The Hamming weight of an arbitrary veetor in F^, denoted by wt{x), is the number of 
Is in the veetor x. Similarly, the Hamming weight of / is the number of Is in the truth table 
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output sequence. The support (or on-set) of a BF /, denoted by = {a:6IF5:/(a:) = 1}, 
is the set of vectors whose truth table output is 1 [39,42]. Thus, we can also define the 
Hamming weight of / as wt(/) = The Hamming distance between two functions / 
and g is the weight of f ®g, i.e., wt{f ®g). 

The algebraic degree of / is the largest value of the Hamming weight of a such that Aa 7 ^ 0 
[42], or more simply the number of variables in the highest order monomial with nonzero 
coefficient [39]. 


EXAMPLE 4.2.3. Let us refer back to Example 4.2.2 for demonstration of these concepts. 
Below are the truth table and ANF for this function /. The Hamming weight of / is 
wt{f) = 5; the degree of / is deg{f) = 3 since the largest term in the ANF is x\X 2 X^. 
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ANF is X 2 ®X 3 ®x 1 x 2 x 3 


Table 4.4: Representations of a BF. 


There is an injective mapping from the ANF representation of a BF to its truth table, so that 
given one we can find the other. There are several ways to do this, and we start with the 
algebraic method. The ANF of a BF is specified by its support in the following manner: 

f{xi,X2,...,x„) = Y, + + T= (Ti,T 2 ,...,T„). (4.7) 

TeSlf \i=i J 

Using Equation 4.7, we can see how the ANF of / was computed in Example 4.2.3. Only 
the vectors in the support are considered for the ANF. In the expansion below, there is no 
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difference between the usual"+" and ©; they both represent the XOR operation, but merely 
help to differentiate between vectors. 

ANF = (xi + 1)X2(X3 + \)®XlX2{x'i + 1 ) © (xi + l)(x2 + I)x3©xi(x2 + 1)X3 ®X\X2X'i 

= {x\ + 1)(X2X3 +X2)®X\X2+X\X2X2 © (xi + 1)(X2X3 +X3) ©X1X3 +X1X2X3 ©X1X2X3 
= X1X2X3 +X2X3 +X1X2 +X 2 ®X\X 2 +XlX 2 X 2 , ©X1X2X3 + X2X2 +X1X3 +.^3 ©X1X3 +X1X2X3 ®XlX 2 X 2 
= XxX 2 ^+^ 2 A 7 +^JiX 2 :+X 2 ®X^iX 2 ;+XxX 2 ^®XiX 2 ^+^ 2 A 7 +Ai^+X 2 ©J14^+Xpc^vy©.r 1X2X3 
= X 2 ©X 3 ©XiX 2 X 3 


To convert back to the truth table sequence from the ANF, the process is the same with 
a minor difference. Form a table similar to a truth table but replace the output column 
with the ANF coefficients. Note in Table 4.5 that in the c column. Is appear in the rows 
representing the terms in the ANF —)■ X 2 ,a: 3 , and xiX 2 .r 3 . Reproducing the method from the 
preceding paragraph will yield the truth table output sequence for the function /. 
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Table 4.5: Conversion from ANF to Truth Table Sequence. 


The other, somewhat quicker method to convert between the two representations is the 
Transeunt triangle as proven by Shafer et al. in [43,44]. In this method, either the truth 
table output sequence or ANF sequence is placed in a row. Then in an inverted Pascal’s 
triangle fashion, the consecutive values in this row are added mod 2 (synonymous with 
©). The result of the addition is placed in the next higher row between the two values in 
which the operation was performed [43]. The operations are exhausted until a row with one 
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entry is reached; the left side of the resulting triangle is the ( 0 ,l)-sequence of the desired 
conversion representation. In Figure 4.1, the function / output from Example 4.2.2 is 
placed on the bottom row of the Transeunt triangle. After the triangle is formed, the left side 
is the (0,1)-sequence of ANF coefficients, which matches the polynomial in Example 4.2.3. 
In an analogous way, if the ANF coefficients are placed on the bottom row, the resulting 
triangle will reveal the truth table output sequence. 


-^3 


3C1X2X3 _^ 

0 1 
0 0 1 

1110 
0 10 11 

110 0 10 
0 1 0 0 0 1 1 

0 0 11110 1 
Figure 4.1: Transeunt Triangle Representation. 


-^2 


A BF whose algebraic degree does not exceed one is called an affine function. An affine 
function with constant term equal to zero is called a linear function [42,45]. Mathemati¬ 
cally, an affine function on has the form 

4,cW =a-x©c = aixi©---©a„x„©c, (4.8) 

where a = (ai,a 2 , ... ,a„) G F^, c G F 2 [39]. 

EXAMPLE 4.2.4. An example of an affine function, / : F2 — )■ F 2 , is xi ©X2 ©X4 © 1, while 
an example of a linear function is xi ©X 2 ©X 4 . 

A BF is called homogeneous if its ANF contains terms all of the same degree. The linear 
function in Example 4.2.4 is homogeneous. A function such as X 2 X 4 X 5 ©X 1 X 3 JC 5 ©X 3 X 4 V 5 is 
also homogeneous. 
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4.3 Cryptographic Properties of Boolean Functions 

Until this point, we have diseussed the meaning of a BF and even hinted at nonlinear 
components of a cryptosystem. Now we need to formally define properties of BFs that 
make them useful for cryptography. BFs are used in many symmetric key algorithms, and 
there is a correlation between cryptanalysis and the properties of the BFs used. There is 
no established set of criteria for determining which mix of properties is necessary in the 
construction of a cryptographic BF, but some are more important than others. As various 
people have shown, the desired cryptographic properties of a BF generally depend on which 
type of cryptanalytic attack they are to withstand and the structure of the algorithm itself. 

4.3.1 Balance 

Perhaps the easiest property for a BF to satisfy is balance. A BF is balanced if its output is 
equally distributed [46]. In other words, a balanced BF on n variables has weight wt{f) = 
2"^^ In a truth table, balance is the property that half the output bits are 1 and the other 
half are 0. In this respect, the question of balance is a binary yes or no decision. By using 
this property, it can be difficult for an adversary to obtain statistical dependencies between 
the plaintext and ciphertext pairs [40]. 

4.3.2 Nonlinearity 

Linearity is a cryptographer’s worst nightmare. 

~ Pante Stanica, Naval Postgraduate School (NPS) Professor 


In Subsection 3.4.3, we introduced nonlinearity as a design criteria for the DBS S-Boxes. 
It is not surprising that many researchers and experts feel that nonlinearity is the most 
important criteria for a BF to satisfy. The linear cryptanalytic attack takes advantage of 
linear equation schemes to break a cipher, important because linear equations can be solved 
in polynomial time. While it is not the aim of this thesis to describe or examine how to 
construct strong nonlinear BFs, the reader can delve more into this topic in [40,45,47-51]. 

In terms of characterization, a nonlinear BF is a non-affine function, i.e., a BF whose ANF 
contains at least one term with algebraic degree greater than one [51]. With respect to a 
specific function, nonlinearity, is defined as the minimum Hamming distance to the 
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class of all affine functions, or the distance to the nearest affine function on F 2 [45,46]. 
Since nonlinearity is an integer valued property, functions can have varying measures of 
cryptographic strength. In general, a BF used for cryptography should have the highest 
nonlinearity possible. Of course, the nonlinearity of / is bounded above [40,45] so that the 
highest possible nonlinearity is 




Willi Meier and Othmar Staffelbach [51] further clarified that a cryptographically good 
nonlinear function also needs to be “invariant under a certain group of transformations.” 
In their example, a BF /(xi,X 2 ,... might contain all nonlinear terms, but a simple 
complement operation turns the function into a monomial with just one term. This new 
function under transformation is poor with respect to the number of nonlinear terms. Thus, 
BFs must have a large Hamming distance to the class of all affine functions to provide 
confusion in an algorithm [40]. Mathematically, nonlinearity is defined as 


— min d (/, £), (4.9) 

where is the Hamming distance between / and an affine function £, and s^n is the 

class of all affine functions on F^. The exact nonlinearity value of a BF / is given in terms 
of the Walsh Transform, which will be further explained in Section 4.5. 

4.3.3 Correlation Immunity 

The notion of correlation immunity was developed in 1984 by Thomas Siegenthaler [52], 
when he noted that certain stream ciphers were vulnerable to correlation attacks. Recall 
that in a stream cipher, the encryption scheme enciphers plaintext characters individually. 
As a plaintext bit moves through the cipher, a key combines with the bit to form the corre¬ 
sponding ciphertext. Each of these plaintext characters passing through the cipher require 
a key, but the process for generating the set of keys (key stream) is different for every 
cipher. Many stream ciphers use the LFSR technique for key stream generation. In this 
method, multiple LFSRs are set in parallel, with their outputs combined via a nonlinear BF 
to break up the linearity. The resulting combination forms the key stream. In a correlation 
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attack, the adversary observes a correlation between the individual LFSR outputs and the 
key stream [9,53]. 

Thus, a BF is correlation immune of order k if its output is statistically independent of the 
combination of any k of its inputs [46]. Alternately, a BF f in n variables is correlation 
immune of order k, I < k < n, if P[{x{ii),x{i 2 ), ■ ■ ■ ,x{ik))\f{x) = p\ = where x{ii) is 
the value of the i-th bit, p G F 2 , and P is the conditional probability of an event A given 
event B. 

EXAMPLE 4.3.1. Consider the following truth table for a function /(v:i,a: 2 ,.V 3 ). To check 
that this function is correlation immune of order 1 , we must check all 1 -variable subsets 
with their possible values and ensure that the outputs are independent of the differing inputs. 
The case where / = 0 should also be checked, but the result is the same; P = ^ = 2 - 


P[.ri=0|/=l]=2/4 
P[^1 = 1|/=1]=2/4 
P[^2=0|/=1]=2/4 

p[^2 = i|/=i] = V4 

P[.r3=0 |/=l]=2/4 
P[.r 3 = l|/=l]=2/4 


Table 4.6: A 3-Variable BF, Correlation Immune of Order k= i. 

4.3.4 Resiliency 

A year after Siegenthaler’s introduction of correlation immunity, Benny Chor et al. intro¬ 
duced the term resiliency [54]. In [54], the authors describe a function / to be t-resilient 
if for every subset T of n input variables of cardinality t, f is unbiased with respect to T, 
i.e., f as a random variable is unbiased. In simpler fashion, a BF is k-resilient if it is both 
balanced and correlation immune of order k [39]. 

Siegenthaler was nevertheless influential in explaining how resiliency relates to correla¬ 
tion attacks. If a function is not k-resilient, then a correlation can be found between the 
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output bits and at most k input bits [40]. There is an obvious eonneetion here with the 
algebraie degree of a BF. Due to Siegenthaler, we know that for a funetion in n vari¬ 
ables of degree d, and eorrelation immune of order k, the following inequality holds: 
k + d <n [52]. Furthermore, we also know that if the funetion is balaneed and k < n—1, 
then k + d < n — I d < n — k — 1. In eryptography, we aim to make the resilieney 
as high as possible. Resilieney, along with several of these other properties, ean also be 
deseribed in terms of the Walsh Transform (see Seetion 4.5). 


4.3.5 Algebraic Immunity 

The eoneept of algebraic immunity also arose from the study of LFSR based stream eiphers 
vulnerable to eorrelation attaeks. Nieolas Courtois [55] first proposed algebraic attacks on 
these stream eiphers that either had a low-degree BF eombiner or that the BF eould be 
approximated with a low-degree polynomial. Courtois and Meier [56] later proved that 
this type of attaek eould be applied by multiplying a high-degree eombiner with a earefully 
ehosen low degree multivariate polynomial. The idea behind an algebraie attaek rests on 
the faet that an adversary has aeeess to some plaintext and eorresponding eiphertext bits, 
as well as some bits of the key stream. Sinee the key stream is a result of the eombining 
funetion, this is not too wild of an assumption. The adversary then deduees a series of low 
degree multivariate polynomials from eaeh of the eombiner output states, for whieh the key 
bits are solutions to. The resulting system of multivariate low degree polynomials ean be 
solved effieiently and the seeret key ean be reeovered [42,53,55,56]. 

A nonzero polynomial g is ealled an annihilator of a polynomial / assuming fg = 0. With 
respeet to the preeeding paragraph, an annihilator of low degree aids in the implementation 
of an algebraie attaek. Similarly, we need to eonsider multiples of /, i.e., / ©I, sinee low 
degree annihilators of /© 1 also give way to algebraie attaeks [39,40]. Thus, the algebraic 
immunity of /, denoted by AI{f), is the minimum degree of g sueh that g is an annihilator 
of / or /© 1, i.e., AI{f) = min{deg{g) : /g = 0 or (/© l)g = 0}. 

EXAMPLE 4.3.2. Given f{xi ,X 2 ,X-i,X 4 ) = X 1 X 2 X 2 X 4 and g{Xi,X 2 ,XT,,X 4 ) = XiQ)X 2 (BXt,® 
X 4 , the algebraie immunity of / is 1, AI{f) = 1. Sinee fg = X 1 X 2 X 3 X 4 (B X 1 X 2 X 3 X 4 (B 
jciJC 2 X 3 .r 4 © JC 1 JC 2 X 3 JC 4 = 0, the minimum degree of g to satisfy this equation is 1, after [53]. 
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4.3.6 Strict Avalanche Criteria and Propagation Criteria 

Recall that in the explanation of the DBS round function, we mentioned the notion of an 
avalanche effect. Feistel [57] was the first to use this term with regards to error detection 
in codes. He noted that a single error in plaintext could cause an avalanche of errors in 
the rest of the message when encrypted with a computer. Today, the avalanche effect is 
observed if a small change in function input yields a large change in function output [39]. 
With respect to a BF, the avalanche effect is present if, on average, half of the output bits 
change when one bit in the input is complemented (i.e., ©1) [58]. 

The strict avalanche criteria (SAC) is an extension of the avalanche effect, requiring that 
“each output bit should change with a probability of one half whenever a single output bit is 
complemented” [58]. Formally, A. F. Webster and Tavares defined SAC in a more precise 
manner. 

Definition 4.3.3. Fet X and Xi be n-bit binary plaintext vectors, such that X and Xi differ 
in one bit, !</<«, i.e., wt(X ©A,) = 1. Fet V; = T © T,-, where Y = f{X),Yi = f{Xi) and 
/ is a function. If / satisfies the SAC, then the probability that each bit in Vi is equal to one 
should be one half over the set of all possible plaintext vectors X and A/. 

Kwangjo Kim and others [49,59,60] provide a more implementable definition of SAC. Fet 

(n) 

c\ denote an n dimensional vector with Hamming weight one at the f-th position. 

Definition 4.3.4. A function / : —)■ F™ satisfies the SAC if for all f (1 < f < n) the 

following equations hold: 

£ (/W©/(.c©cW)) (4.10) 

Definition 4.3.4 is the most general definition for any function, but since we are mainly 
concerned with BFs, the codomain is just F 2 and the right hand side of the equation is just 
2"^^ Thus, a one bit change in the 2" input vectors results in an output change for 2”^^ 
of those vectors (i.e., exactly half). Example 4.3.5 demonstrates the SAC for a BF on three 
variables. 

EXAMPLE 4.3.5. In this BF with n = 3, the possible one-bit changes are reflected to 
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the right of the original funetion output eolumn. Note that for each bit change, the output 
changes for exactly 2^ = 4 vectors. 
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Table 4.7: A 3-Variable BF Satisfying the SAC, after [39]. 


Another result that follows from the SAC is balance in the Hamming weights between the 
contrasting outputs. This result is also from Webster and Tavares [58], but is formalized by 
Cusick and Stanica [39] as a lemma. 

Lemma 4.3.6. A BF / : —)■ F 2 satisfies the SAC iff the function f{x) ©/(jc©a) is 

balanced for every a in F 2 with Hamming weight 1. 

As visualization of this lemma, refer back to Table 4.7. Note that the XOR between the / 
column and any of the bit change columns is a balanced string. Although it was developed 
in 1986, SAC was generalized a few years later. 

In 1990, Bart Preneel et al. generalized SAC as propagation criteria. A BF satisfies the 
propagation criteria of degree k, denoted as PC{k), if f{x) changes with a probability 
of one half whenever / (1 < / < k) of the n bits of JC are complemented [61]. Given this 
definition, SAC is equivalent to PC(1). 

Just like with SAC, there are alternate ways to present the definition of PC. One such 
definition relies on the concept of a directional derivative of a BF. If / is a BF in n 
variables and b is any vector in F^, then the derivative of f in the direction of b is 
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Dbf{.x) = f{x) ® f{x®b) [40]. Hence, a BF f{x) in n variables satisfies PC{k) if and 
only if all of the directional derivatives are balanced functions, i.e., for all a G £ C F^, the 
derivative Daf{x) = f{x)®f{x®a) is balanced [39,40]. 

4.3.7 Other Properties 

There are other criteria for BFs that are not as prevalent in mainstream literature, but have 
gained notoriety in recent research. We start with two properties that have either already 
been defined or do not require definition. The first of these is the aforementionied alge¬ 
braic degree. The algebraic degree contributes to the complexity of a BF and is often a 
factor in attacks on ciphers; we typically want to employ BFs with the highest algebraic 
degree possible. Algebraic attacks are very efficient against ciphers employing low degree 
polynomials [42], and the complexity of the differential attack of higher order depends on 
the highest degree of the BF used in the cryptosystem [45,62]. 

Just because a BF has high degree, however, does not make it cryptographically relevant. 
We saw in Subsection 4.3.2 that via a complement operation, a function was transformed 
into a monomial. Even though this monomial might have high algebraic degree, it is weak 
when compared to a polynomial of same degree. Thus, the other property we consider 
is the number of terms in the ANF. The BFs that were discussed in Subsection 4.3.3 as 
nonlinear combining functions in stream based LFSRs need to have high algebraic degree 
and many terms in the ANF in order to resist key stream generation by the Berlekamp- 
Massey Algorithm [45]. The number of terms in the ANF is not a stand alone property 
however. Along with the same reasoning just presented, a BF with many terms could 
have an affine equivalent function under a transformation. Thus, this property needs to be 
considered with other properties, such as affine invariance, algebraic degree, etc. 

Motivated by the work of Meier and Staffelbach [51], Carlet introduced a new property with 
respect to the number of terms in the ANF, i.e., an affine invariant parameter. Carlet called 
this property the algebraic thickness of a BF. The algebraic thickness, denoted by 
is defined to be the minimum number of terms in the ANF of the set of functions foA, 
where A is the general affine group, and A ranges over the set of all affine automorphisms 
of F 2 [45,63,64]. As Carlet points out, we would like to work with BFs having the highest 
possible algebraic thickness, but “classical BFs have small algebraic thickness” [45]. Carlet 
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is not explicit in what he denotes as classic, though one can infer that he means those BFs 
we are most interested in with respect to cryptographic applications. The algebraic thick¬ 
ness is bounded by the number of variables in the polynomial, i.e., 2”, but it is unproven 
that there exist functions / for which ^(/) > [45]. 

There are still other parameters that exist for which the interested reader should consult 
the references. One such example is the global avalanche criteria (GAC) as presented 
by Xian-Mo Zhang and Yuliang Zheng [65]. Both SAC and PC are known to be local 
characteristics of a function, namely that they guarantee avalanche features for vectors of 
Hamming weight either 1 or up to k. SAC and PC are restrictive, however, because they can 
admit functions having a large Hamming weight with vectors as linear structures. SAC also 
requires that f{x) ©/(jc©fl) is balanced, which rules out bent functions (see next section). 
Other properties include maximum correlation [40,66], nonhomomorphicity [40,67], and 
non-k-normality [40]. 


4.4 Bent Boolean Functions 

We have mentioned bent functions several times, and now a short background is presented. 
Since bent BFs are not the focus of this thesis, the reader should consult the works of John 
Dillon, Oscar Rothaus, Robert McFarland, W. Meier, and others [39,51,68-70] for more 
on this subject. 

Bent BFs are desirable in cryptography because they achieve the maximum nonlinearity for 
a BF, but they are difficult to implement. One such reason was mentioned in the previous 
section—^bent functions have desirable properties, but they are not balanced, and we want 
balanced functions as S-Boxes. 

Definition 4.4.1. A BF / on is called bent if its Hamming distance to the set of all n- 
variable affine functions equals 2”^^ — 22“^ In other words, a bent function achieves the 
maximum possible nonlinearity, .Ay, for any BF in n variables. Furthermore, this distance 
is only achieved when n is even [40,45]. 


As a result of the definition, bent functions also achieve many other characteristics. If an 
n-variable BF is bent with n even, then it satisfies PC{n) [39,40]. Meier and Staffelbach’s 
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perfect nonlinear functions are essentially an analagous form of bent funetions [51]. There 
is also a definition of bent funetions that uses the Walsh transform (see next seetion). 

Although it seems that bent funetions are desirable and we should be using them, the mys¬ 
tery surrounding them lies in eonstruetion. We know the total number of bent funetions for 
n = 2,4,6,8 variables, but we do not know the total for n > 10. Thus, we have no means to 
eharaeterize or elassify this set of bent funetions under the general affine group [40]. The 
main diffieulty here lies in the spaee of possible bent funetions. For n = 2, there are 16 
possible BFs and eight total bent funetions. Remarkably, for n = 8, there are 2^^^ BFs and 
approximately total bent funetions [39,71]. 

4.5 Walsh Transform 

Most readers are familiar with the eoneept of a mathematieal transform. A transform is a 
relation that takes a funetion in one domain or basis and transforms it into a funetion in 
another domain or basis. A elassie example of this is the Laplace Transform, whieh takes a 
funetion f{t) and outputs a new funetion F (5). We now examine another famous transform, 
the Fourier Transform, whieh allows a transfer between the time (or spatial) domain and 
the frequeney domain. 

The Fourier Transform has many applieations, some of whieh inelude aeousties, digital 
signal proeessing, physies, engineering, and image proeessing. It is essentially an extension 
of the Fourier series, in whieh periodie behavior is modeled by an infinite sum of sines and 
eosines. We are interested in the non-eontinuous version of the Fourier Transform ealled 
the discrete Fourier Transform (DFT). In the DFT, the funetion used as the input is diserete 
and its values are given over a finite interval. This transform is also invertible so that we 
ean move baek and forth between bases. 

With regard to BFs, the DFT is an invertible mapping of the funetion values onto a set of 
eoeffieients, ealled Fourier eoeffieients [72]. Knowledge of the Fourier eoeffieients gives 
information about the funetion, sueh as eomputational eomplexity and other properties of 
BFs. In partieular, the DFT of a funetion gives the weights of all funetions of the form 
f®i, where £ is affine [40]. The DFT of BFs is also ealled the Walsh Transform (WT). 

Reeall from linear algebra that a basis for a veetor spaee is a set of linearly independent 
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vectors that can span that space, i.e., every vector in the vector space can be represented 
by a linear combination of the basis vectors. By doing so, we find the coordinates of every 
point in the space with respect to that basis. This can be difficult if the basis vectors are not 
orthogonal. If we can find an orthogonal basis for the vector space, then we can define an 
inner (dot) product and expressing all vectors in the vector space is much easier. 

In the most general sense, a BF is a 0-1 valued real function defined on {0,1}", i.e., / : 
F 2 —)■ M. If we restrict the codomain of / to only the two-valued functions on this domain, 
then we consider / : F 2 —?■ F 2 . The domain of the space of all these functions is an Abelian 
group, for which we define a group character, Q-w{x) — ( — 1)^’^ '*^. The notation < w - jO 
is the inner (dot) product on vectors over F 2 , wixi © ^ 2.^2 © • • • © The set of functions 
{Qw : w G F 2 } forms an orthogonal basis for the vector space F 2 [72]. The WT then defines 
the coefficients of the BF / with respect to this orthogonal basis. 

Definition 4.5.1. [39,73] If / is any real-valued function on F^, i.e., / : F 2 —)■ M, then the 
Walsh Transform (WT)^ of / on a vector w is defined by 

F{w) = W{f){w)= ^ /(^). (-!)<-->, (4.11) 

where w G F 2 and < w ■ JC >= wixi © ^ 2.^2 © • • • © over F 2 . The function / can be 
recovered from F(w) by the inverse Walsh Transform 

/(jc) = W = 2^" L (4-12) 

Of course, the BF / takes on the real values {0,1}, but sometimes it is easier to work with 
BFs that take on values in the range {—1,1}. This alternate group of functions will be 
denoted by /. The function / is related to the function / in the following manner 

fix) = (-l)^W or fix) = 1 - 2fix). (4.13) 


^We acknowledge that the nomenclature within the Walsh Transform is varied. Some sources call 
this definition the Hadamard Transform, the discrete Fourier-Walsh-Hadamard Transform, or the Walsh- 
Hadamard Transform. Unfortunately, there is no standard definition, but the notation presented here is 
adopted from [39,73]. 
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The function on the left in Equation 4.13 is often referred to as the sign function, for which 
the WT also exists. This transform, however, we will call the Walsh-Hadamard Transform 
(WHT). 

Definition 4.5.2. The Walsh-Hadamard Transform of / is given by 

F(w) = W{f){w) = Y, (-l)/W®<“'-^>. (4.14) 

In the same way that / and / are related, there is also a relationship between the WT and 
the WHT. This is a rather important relationship, thus it is stated as a lemma. The simple 
proof is omitted, but is available in [39]. 

Lemma 4.5.3. If f{x) = then 

F{w)^-lF{w) + Td{w), (4.15) 


or 


F{w) = T-^d{w)-^F{w), (4.16) 

where d (w) is the Kronecker delta function (sometimes called the Dirac symbol) defined 
as 

f 1 , if w = 0 
5{w) = { 

I 0, otherwise. 

Equations 4.11 and 4.14 each yield a vector of Eourier coefficients as w varies, also known 
as Walsh coefficients. These lists of 2” coefficients are called the Walsh spectrum of / and 
the Walsh-Hadamard spectrum of /, respectively [39]. Eor general purposes, we refer to 
either list as the Walsh spectrum of a BE, although context should be clear upon which 
version is presented. The Walsh spectrum is another unique representation of a BE and is 
often used as a means to explicitly define certain cryptographic properties on a function. 
We will return to this notion shortly, but first we present an example of the WT. 
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EXAMPLE 4.5.4. Both the WT and WHT involve sums over the entire vector space F^. 
Thus, by-hand calculations are rarely practical. Consider the BF defined as / : F 2 —)■ F 2 , 
with ANF given by 1 © jci ©.^ 2 - The truth table representation is given in Table 4.8. 



-^1 

/ 

0 

0 

1 

0 

1 

0 

1 

0 

0 

1 

1 

1 


Table 4.8: Truth Table Representation for 1 ©jci © JC 2 . 


WT 

F(w) = W(/)(w)= £ 

xeF^ 

F(00) = l(-l)® + 0 + 0+l(-l)° = 2 
F(01) = l(-l)® + 0 + 0+l(-l)^ =0 
F(10) = l(-l)® + 0 + 0+l(-l)^ =0 
F(ll) = l(-l)® + 0 + 0+l(-l)^ = 2 

Walsh spectrum = (2,0,0,2) 

WHT 

F(w) = W(/)(w) = £ (_i)/W©<vt'-x> 

xeF" 

F(00) - (-i)i®o + (-i)0®o + (_i)0®o^ (_i)i®o ^ 0 
F(01) = (-1)1+ (-1)1+ (-1)0 +(-1)0 = 0 
F(10) = (-1)1+ (-1)0+ (-1)1+ (-1)0 = 0 
F(ll) = (-l)i + (-l)i + (-l)i + (-l)i = -4 

Walsh-Hadamard spectrum = (0,0,0,-4) 
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The reader can easily verify the relation between the two spectra using Equation 4.15 and 
that the truth table output can be recovered by the inverse in Equation 4.12. Note that the 
Kronecker delta function is only equal to one when w is the zero vector. 

Since the WT operates as a DET, the classical method of solving for the Eourier coefficients 
is not an integral problem but rather a matrix problem. Thus, the Walsh spectrum can also 
be found by means of Hadamard matrices. Hadamard matrices are recursively constructed 
and consist of ±ls. Eormally [39], a Hadamard matrix H of order n is an n x n matrix 
of ±ls such that HH^ = nl„, where is the transpose of H and /„ is the nxn identity 
matrix. The recursion is given as 

r n 111 fe-1 

Ho=[l]- Hi= , and H„= " ^ y . (4.17) 

1 — IJ [rin-l —tin I 

Thus, H 2 is constructed in typical block matrix style as 

’1 1 1 1 ' 

1 -11-1 
1 1 -1 -1 ■ 

1 - 1-1 1 

Therefore, expressed as a matrix product, the WT is given by [46,61] 

[F]=Hn-[f], (4.18) 

where [E] is a column vector of the Walsh spectrum values and [/] is a column vector of the 
function values. Returning to Example 4.5.4, we can compute the Walsh spectrum using 
the Hadamard matrix, but again note for large values of n, computations by-hand become 
impractical quickly. 



Similarly, the WHT can be expressed in terms of the Hadamard matrix as [F] =//„■[( — 1 )-^], 
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where [F] is a eolumn veetor of the Walsh-Hadamard speetrum and [(—1)-^] is a eolumn 
veetor of negative ones raised to the funetion values [46]. 



We now return to the eoneept alluded to in the previous seetion eoneerning the WT and 
eryptographie properties of BFs. There are a number of properties related to the WTAVHT, 
namely beeause the transform is a linear mapping and provides information on nonlinear¬ 
ity [46,72]. We must be eareful to define whieh transform is being used though, whieh 
should be elear in the notation. Other properties, sueh as SAC and PC, are related to the 
autocorrelation function, whieh we do not diseuss here but ean be found in [39]. 

Balance: [46] A BF is balaneed if F{Qi) = 0. This feature is observed in Example 4.5.4. 

Nonlinearity: The nonlinearity of / is determined by the WHT of / [39], that is, 

,A4 = 2"-i-^max|F(M)L (4.19) 

^ 2«eF«' ^ 

where the bars represent absolute value. The funetion in Example 4.5.4 has nonlinearity 
zero sinee 2^ — ^[A)= 0. 

Correlation Immunity: [39] A BE is eorrelation immune of order k,\ <k<n,\f and only 
if E(w) = 0 for 1 < wt{w) < k. The funetion in Example 4.5.4 is eorrelation immune of 
order one sinee both E(01) = 0 and F'(IO) = 0. 

Resiliency: [46] Since resiliency also includes correlation immunity, the same stipulations 
on the WHT apply here. Thus, the resiliency for the function in Example 4.5.4 is also one. 

Bent BFs: A BE in n variables is bent if and only if F{u) = ±2"/^ for all m G [51,68]. 
The function f{x) = xiX 2 on is bent since the Walsh-Hadamard spectrum is |E(m)| = 
2^2 = (2,2,2, —2). Another version of Fourier spectrum is the energy spectrum. The energy 
spectrum is defined as the square modulus of the Fourier transform [61], i.e., F^. In this 
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manner, all coefficients are positive constants. With respect to the energy spectrum of a 
BF, we often characterize a bent function as having a flat spectrum. 


4.6 Vectorial Boolean Functions 

Recall that an S-Box is a mapping or substitution from an m-bit input to an n-bit output, 
where m and n need not be equal. Over the binary field, this is represented by / : F™ —)■ F^. 
These functions are also called (m,n)-functions, multi-output BFs, vectorial BFs, and 
S-Boxes [48]. Vectorial BFs employed in iterative block ciphers are used to provide confu¬ 
sion in the algorithm. Much work in the area of vectorial BFs for cryptography has been 
done by Carlet [40,48]. 

Given that m and n are positive integers, if a function F exists as an (m,n)-function, then 
the BFs /i,/ 2 ,...,/„ defined at every jc G F™ by F{x) = (/i(x),...,/„(x)) are called the 
coordinate functions of F [48]. In the case of DBS, each of the eight S-Boxes are functions 
/ : F 2 —)■ F 2 . Within each S-Box, we treat the four rows as coordinate functions. Thus, 
for any S-Box, there exists F{x) = (/i(x),/ 2 (x),/ 3 (x),/ 4 (x)), where each f is a mapping 
from F 2 to F 2 . Our aim in this thesis is to examine the coordinate functions of the S-Boxes. 

There has been extensive research on the construction of cryptographically good S-Boxes. 
The DBS creators stated that the boxes were built to resist a differential attack. One such 
method for doing so requires that the output of an (m,n)-function F to its derivatives 
Da{x) = F{x)-\-F{x Fa) must be distributed as uniformly as possible [48]. There is also a 
method for designing against Matsui’s linear attack, which deals with linear combinations 
of the coordinate functions [48]. 

The DBS S-Boxes have received much attention over the years. Webster, Tavares, and 
Adams, while writing in terms of generic S-Boxes, have always used DBS as influence 
in their analysis. Bor example, in [58], the authors show that the set of DBS S-Boxes do 
not satisfy the SAC; the probability that an output bit will change when a single input 
bit is complemented varies from 0.43 to 0.93. Granted, SAC did not exist at the time 
when IBM created DBS. S-Box construction has also been studied from the viewpoints of 
random generation versus systematic design. While random generation is often effective, 
the design criteria mentioned by Adams and Tavares [50] is worth noting. 
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According to Adams and Tavares, an S-Box must satisfy the following criteria to be “cryp¬ 
tographically desirable”: 

1 . bijection; 

2 . nonlinearity; 

3. strict avalanche; 

4. independence of output bits. 

Property (1) observes that a 2" x n S-Box is bijective, i.e., invertible (which may or may 
not be necessary). In doing so, the input vectors map to distinct output vectors and the 
output vectors appear only once per stage. Property (2) is obvious, but in order to ensure 
nonlinearity at both the bit level and integer level, the S-Box must utilize n nonlinear BFs. 
As a consequence of Property (1), Property (2) is typically achieved in the inverse S-Box. 
Property (3) was introduced in [58], but an S-Box as a whole possesses the SAC if it has 
Properties (1) and (4), and all n BFs fulfill the SAC. To show this, Adams and Tavares 
used Forre’s method of construction for SAC-fulfilling BFs [73]. Property (4) is intended 
to resist certain correlation attacks. Others such as K. Kim have done more recent research 
into the construction of good S-Boxes; for a survey of these techniques, consult [47,49,59, 
60]. 
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CHAPTER 5: 
Basic Graph Theory 


Graph theory is the study of graphs, but not the typical function graph depicted on say the 
x — y plane. Instead, graph theory examines the relations between objects, be them people, 
places, devices, molecules, etc. Since the field implicates models of everyday life, some 
refer to graphs as networks. Most scholars date the origin of graph theory to the famous 
Konigsberg bridge problem solved by Euler in 1736. While it is a fairly old discipline, 
tremendous advances in graph theory, especially regarding networks, have spumed interest 
in the field within the last century. There are many terms within graph theory that are not 
defined here, but the reader can consult a standard graph theory text such as [74] for more 
insight. 


5.1 Definitions 

A graph is a collection of objects called vertices and the relations between them called 
edges. Sometimes, vertices are also called nodes while edges are also called arcs. 

Definition 5.1.1. [74] A graph G is an ordered pair iy,E), where V is the finite set of 
vertices of G and E is the set of two-element subsets of V called edges. V is called the 
vertex set of G and E is called the edge set of G. The cardinality of V is called the order 
of the graph G, denoted by n. 


A graph can be uniquely represented by the ordered pair (V,E) or by a pictorial model. 
Consider Example 5.1.2 where this is depicted. 

EXAMPLE 5.1.2. In Eigure 5.1, G is given by {y,E), where V = {vi,V2,V3,V4,V5} and 

E = |{V 1 ,V 2 },{V 2 ,V 3 },{V 3 ,V 4 },{V 4 ,V 5 },{V 1 ,V 5 },{V 1 ,V 3 },{V 1 ,V 4 }|. Ordinarily, we omit 
the set notation on the vertex pairs, so E can be written as 

E = {viV 2 , V 2 V 3 , V 3 V 4 , V 4 V 5 , V 1 V 5 , V 1 V 3 , V 1 V 4 }. This graph is undirected, in that there is no 
orientation on the edges. This graph is also simple because there are no loops or multiple 
edges. 
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V5 


Figure 5.1: A Graph G on n = 5 Vertices. 


Note in Example 5.1.2 that if the edge v,v; is in the edge set of G, then it appears as a 
line segment (or curve) connecting vertex v, with vertex Vj. If the edge viVj exists, i.e., 
ViVj G £’(G), then we say that v, and Vj are adjacent. If v, and Vj are adjacent, then they 
are also referred to as neighbors. If an edge e joins vertices v, and vj, then we say that e is 
incident with v,- (as well as v^). 

Some graphs allow for multiple connections between two vertices. For example, an airline 
might plan several routes between Detroit and San Francisco, depending on weather, traffic, 
or other variables. In this case, the airline route graph can depict multiple routes, which we 
call a multigraph. If an edge is also permitted to join a vertex to itself, then this graph is 
called a pseudograph. Figure 5.2 depicts these types of graphs. 




Figure 5.2: Multigraph and Pseudograph, Respectively. 
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A multigraph contains at least one pair of distinet vertiees that are joined by multiple (par¬ 
allel) edges. Multigraphs do not permit loops. A pseudograph permits multiple edges 
and loops, but does not neeessarily eontain multiple edges. In this thesis we will eonsider 
simple graphs and pseudographs. 

The degree of a vertex ean be defined in two synonymous ways. The degree of v G V (G) 
is equal to the number of edges ineident with v. We also have that the degree of v G V(G) 
is the number of vertiees adjaeent to v [74]. The degrees of the vertiees within the graphs 
of Figure 5.2 ean be represented as sequenees: (3,3,3,5) and (3,3,4,4,4)^, respeetively. 
There are various rules, theorems, and bounds pertaining to vertex degree, but again we 
assume that the reader has knowledge of these or ean eonsult a standard referenee. 

Additionally, a graph G is regular if all vertiees of G have the same degree. A graph G is 
r-regular if deg{v) = r for all v G V(G). 

5.2 Matrix Representations 

A graph ean also be represented by a matrix deseribing the relations on vertiees and edges. 
The most widely used matrix to deseribe a graph is the adjacency matrix. Like the name 
implies, the adjaeeney matrix displays the vertex adjaeeneies of the edge set of G (as well 
as the non-adjaeeneies). 

Definition 5.2.1. [74] Assume that G is a simple, undireeted graph of order n with vertex 
set {vi, V 2 ,.. • ,v„}. The adjacency matrix of Gis the n x n matrix A = [a,y], whose entries 
aij are given by 

fl, ifv,v;G£(G) 

aij = ( 

I 0, otherwise. 

Figure 5.3 illustrates the eoneept of an adjaeeney matrix. The labeling of vertiees outside 
the adjaeeney matrix is not a eommon praetiee, but this is displayed for the benefit of the 
reader. 


^Note that for the loop, we counted the degree twice for the loop. While some graph theorists and authors 
only consider a loop to contribute one towards the vertex degree, the majority of texts double count the degree 
for a loop. 
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A = 


a 

b 

c 

d 

I 

m 


a b c 
/O 1 0 
1 0 1 
0 1 0 
0 1 1 
0 0 1 
yl 1 1 


Figure 5.3: A Graph and Its Associated Symmetric Adjacency 


dim 
0 0 1 \ 
1 0 1 
1 1 1 
0 1 0 
1 0 1 
0 1 Oy 


Matrix. 


There are a couple of observations [75,76] to make with respect to the adjacency matrix 
for a simple, undirected graph. 

i) A is a real and symmetric matrix; 

ii) The row sums for each i of A equal the degree of each vg 

iii) The diagonal entries of A are zero; 

n 

iv) The trace of A is zero, i.e., tr{A) = £ an = 0; 

i=l 

v) There is a one-to-one correspondence between the graph G and its associated adjacency 

matrix A (up to isomorphism and rearrangement of vertices in A); 

vi) A is not unique, since we can reorder the vertices and arrive at a different representation. 

Adjacency matrices for multigraphs are formed in a similar manner, in that the entry atj is 
the number of edges vetween Vi and vj. In a pseudograph, however, we must now account 
for loops which implies nonzero entries on the diagonal. Unfortunately, there is no standard 
method to handle the entry an in the adjacency matrix of a pseudograph. Some propose 
that a loop should be given a weight of two (i.e., the entry an is twice the number of loops 
attached to the vertex v/ [77]). This vertex-centric approach allows the adjacency matrix to 
hold the properties of row sums equaling the degree as well as the First Theorem of Graph 
Theory.^ Others model a loop should be given a weight of one, which leans toward an 
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edge-centric approach [78]. For this thesis, we use the latter approach, the reasons for 
which will become apparent in Section 5.4. Consider Figure 5.4 as an example of our 
approach to pseudographs. 



a b c d I m 
a /O 1 0 0 0 1 \ 


A = 


b 
c 
d 
I 

m y 


10 110 1 
0 10 111 
0 11110 
0 0 111 1 
1110 10 


Figure 5.4: A Pseudograph and Its Associated Adjacency Matrix. 


The most common approach to multigraphs and pseudographs is to consider them as 
weighted graphs. In this respect, we assign each edge a weight. If an edge is not present, 
it has a weight of zero. Thus, this allows all graphs to be treated as weighted graphs, 
with an assigned weight function satisfying VF : V x V —)■ M, with w{ij) = w{j,i) and 
j) > 0 [79]. The weight function W also has the properties that w(/, j) > 0 if and only 
if zy G £’(G). With this application, a simple, undirected, and unweighted graph is a special 
case where the weights are either one or zero. Therefore, we use the terms adjacency ma¬ 
trix and matrix of weights interchangeably. This weighting does allow for the possibility 
of an adjacency matrix that is not in the traditional 0-1 format, but given our approach in 
Figure 5.4 we will not consider this. 

Another matrix representation for a graph is the Laplacian. The Laplacian matrix has a long 
history dating back to German physicist Gustav Kirchhoff. In 1847, Kirchhoff developed 
the basis for the matrix-tree theorem (see [74]), which uses the Laplacian matrix in its 
construction. Therefore, the Laplacian is also referred to as the Kirchhoff matrix [80]. 

^The First Theorem of Graph Theory states that the sum of the degrees in a graph G is equal to twice the 
number of edges in G. 
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Definition 5.2.2. [79,80] Let G be a graph, possibly weighted, of order n. The Laplacian 
matrix of G is the nx n matrix L = [L, j], whose entries Lij are given by 

L=D-A, 


where D is the diagonal matrix indexed by V (G), with z, y G V(G), deg{i) = d(i) = 'Laij = 

i 

£w(z, j) and A is the adjacency matrix. In an equivalent fashion, 

i 


d(i) — w(z, z), if z = j 




0, otherwise. 


Unfortunately, the Laplacian does not have a one-to-one correspondence with a graph G. 
It is mainly used to deduce properties of the (possibly unknown) graph. However, it is a 
real symmetric matrix, and in fact the Laplacian is a positive semidefinite, singular matrix. 
Consider Example 5.2.3 in which the Laplacian is computed for the graph in Figure 5.4. 


EXAMPLE 5.2.3. 
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0 

0 
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0 

1 

1 

0 
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-1 
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-1 
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1 
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-1 
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1 
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0 

0 

-1 
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3 

-1 

0 

0 

0 

0 
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1 

1 

1 

0 

1 

0 


-1 

-1 

-1 

0 

-1 

4 


There are still other matrices that can be used to represent a graph such as the incidence ma¬ 
trix, distance matrix, normalized Laplacian, signless normalized Laplacian, and signless 
Laplacian. However, these matrices are not the focus of this thesis. 
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5.3 Spectral Graph Theory 

The field of linear algebra is rich with techniques for examining structural properties of 
matrices. With the ability to represent a graph by a matrix, these techniques now become 
available to the user. This field is known as algebraic graph theory, in which we attempt to 
determine properties of graphs using algebraic properties of the matrices representing them 
[81, 82]. Spectral graph theory is a subfield of algebraic graph theory which specifically 
aims to examine graph properties using the spectrum of a graph’s associated matrix. The 
classic references on this subject are found in the works of Biggs [76], Cvetkovrc et al. [77], 
and Chung [79]. The importance of spectral graph theory can be observed in the following 
quotations. 

Just as astronomers study stellar spectra to determine the make-up of distant 
stars, one of the main goals in graph theory is to deduce the principal properties 
and structure of a graph from its graph spectrum. The spectral approach for 
general graphs is a step in this direction. There is no question that eigenvalues 
play a central role in our fundamental understanding of graphs. [79] 

Spectral graph theory is a useful subject. The founders of Google computed the 
Perron-Frobenius eigenvector of the web graph and became billionaires. [81] 


5.3.1 Definitions 

Definition 5.3.1. [76, 81] The (ordinary) spectrum of a finite graph G of order n is the 
spectrum of the adjacency matrix A(G), that is the set of n eigenvalues of A(G) together 
with their (algebraic) multiplicities. If the distinct eigenvalues of A(G) are Ai < A 2 < ■ ■ ■ < 
and their multiplicities are m(Ai), m(A 2 ),..., ni(A„), then we shall write 


Spec G = 



A2 

m(A2) 



Similarly, the Laplace spectrum of a finite graph G is the spectrum of the Laplacian matrix 
L [81]. Note that Definition 5.3.1 does not include the corresponding eigenvectors. This is 
mainly due to the fact that eigenvectors are not unique, and that for a given eigenvalue A, 
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any scalar multiple of a nonzero vector jc satisfies the eigenvalue problem: Ax = Ajc. There 
are certain graph properties that do account for eigenvectors, but in general we will not be 
concerned with them here. 

Recall that to find the n eigenvalues of an n x n matrix A, we must find the n roots of 
the characteristic polynomial p(A) = det(A — A/). Since the adjacency matrix A is real 
and symmetric, its eigenvalues are also real numbers. Likewise, since the Laplacian L is 
positive semidefinite, its eigenvalues are all nonnegative (i.e.. A, > 0 for all z G { 1, 2, ..., n}) 
and a zero eigenvalue is guaranteed (since the row sums are zero) [80]. Additionally, the 
algebraic and geometric multiplicity of each eigenvalue is the same, hence multiplicity is 
used interchangeably. 

5.3.2 Some Known Results 

We now present some of the many known results on graph spectra. Some of these deal with 
the adjacency matrix and some deal with the Laplacian. From context it should be clear 
which matrix is being used. Also, it should be apparent that if A is an eigenvalue of the 
adjacency matrix A for an r-regular graph G, then r — A is an eigenvalue of the Laplacian L. 
For added clarity, we refer to the eigenvalues of A as Ai, A 2 ,..., A„ and the eigenvalues of L 
as /ii, /i 2 ,..., /in. At certain points, we refer to the eigenvalues of A or L as the eigenvalues 
of G. 

Degree 

If G has maximum degree A(G), then |A | < A(G) for every eigenvalue of G [83]. 

The sum of the Laplacian eigenvalues is equal to the degree sum of a graph [84], i.e., 

n n 

t IJ-i= t d{i). 

i= 1 i= 1 

Regular Graphs 

An r-regular graph G has row sums equal to r in the adjacency matrix of weights. The 
following results [76,81,83] also hold: 

1. r is an eigenvalue of G; 

2. For all eigenvalues A of G, we have | A | < r; 

3. If r is an eigenvalue, then the all-1 vector is an eigenvector of G. 
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Connectedness 

A graph G is connected if every pair of vertiees of G is eonnected, i.e., there is a path 
between every two vertices of G. Au — v path in a graph is a sequence of vertices beginning 
with u and ending at v such that consecutive vertices in the sequence are adjacent, with the 
additional restriction that no vertices are repeated [74]. 

If a graph G is connected, then: (1) the largest eigenvalue of A has multiplicity one, and (2) 
the second smallest eigenvalue of L is greater than zero [85,86]. 

Closely related to idea of connectivity is the number of components of a graph. A compo¬ 
nent of G is a connected subgraph of G that is not a proper subgraph of any other connected 
subgraph of G [74]. The number of components of a graph G is denoted by A:(G). As re¬ 
lated to spectra, k{G) is equal to the multiplicity of the smallest eigenvalue /i = 0 of the 
Laplacian L [86]. Thus, a graph is connected if and only if k{G) = 1, since it only has one 
component. 

A graph G is bipartite if its vertex set can be partitioned into two distinct sets U and W 
such that every edge of G contains a vertex from U and a vertex from W [74]. As relating 
to spectra, a graph G is bipartite if and only if Spec L = Spec L^, where is the signless 
Laplacian [81]. Recent research on internet topology has also revealed that a graph is 
bipartite if the normalized Laplacian has an eigenvalue of 2 [87, 88]. Additionally, an r- 
regular graph is bipartite if and only if Ai = —r [89]. 

Diameter 

Given au — v path, the length of a path is the number of edges between u and v. The 
distance between u and v is the length of the smallest u — v path in a graph G. The diameter 
of a graph is the greatest distance between any two vertices of a connected G [74]. The 
diameter is often used to get a sense of how large a component is, especially useful when 
analyzing large networks. As relating to spectra [76,77], if a connected graph G has d 
distinct eigenvalues, then its diameter is bounded above by J — 1, i.e., diam(G) <d—\. 
This same result holds for Laplacian eigenvalues [81]. A lower bound on the diameter of a 
graph G of order n is also given in terms of the second smallest Laplacian eigenvalue [80], 
pi, as 

/ X 4 

Diam(G) >-. 

np2 
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Second Smallest Eigenvalue 

The second smallest eigenvalue of the Laplacian is an interesting topic in the field of spec¬ 
tral graph theory. For the remainder of this thesis, we refer to the second smallest eigen¬ 
value of the Laplacian as /i 2 , also called the Fiedler value. Miroslav Fiedler [90] referred 
to this eigenvalue as the algebraic connectivity of a graph G. As mentioned with regards to 
connectivity, a graph G is connected if and only if /i 2 > 0. Another result [91] relates the al¬ 
gebraic connectivity with the number of vertices in a graph of degree n — 1, i.e., d*_i < /i 2 , 
where is the number of vertices of degree n — I. 

Fiedler also found relations between the algebraic connectivity and two graph parame¬ 
ters—vertex connectivity and edge connectivity. In order to understand these two parame¬ 
ters, we need the idea of cuts. A vertex-cut of G is a set U of vertices of G such that G — U 
is disconnected, i.e., subtracting the set U (and the edges incident with these vertices) dis¬ 
connects the graph G into components. Thus, the vertex-connectivity k(G) of a graph G 
is the cardinality of a minimum vertex-cut of G [74]. Fiedler [90] proved that if G is not 
a complete graph^, then ji 2 < k{G). Similarly, an edge-cut of G is a set X of edges of G 
such that G —A is disconnected. Hence, the edge-connectivity ri(G) is the cardinality of 
a mi nim um edge-cut of G [74]. Once again, Fiedler [90] proved that jU 2 < ^ 17(G). 

We also have that /i 2 = n if and only if G is a complete graph on n vertices. 

In graph theory and especially in network science, analysts and attackers are often con¬ 
cerned with cuts. In any model network, an adversary might want to know the minimum 
number of edges (links) or nodes to cut before the entire network is disconnected. This is 
a classic problem in graph theory, known as a type of isoperimetric problem. In spectral 
geometry, the isoperimetric problem is to find a closed curve of a given length that encloses 
the maximum area. In graph theory, this is equivalent to removing the smallest portion of 
a graph that disconnects it [79]. In 1970, Cheeger^derived bounds for ji 2 on a Riemannian 
bounded curve in terms of volumes and areas. Noga Alon and Vital! Milman [92] extended 
this to a graph, giving a bound for /i 2 in terms of edge cuts. 

Consider a graph G with vertex set V(G). We would like to split the graph into two dis- 

complete graph of order n has (j) edges and every two distinct vertices are adjacent. 

^J. Cheeger wrote "A lower bound for the smallest eigenvalue of the Laplacian" in Problems in Analysis, 
1970. 
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connected components via a cut, in this case an edge-cut. An edge-cut is defined as a 
bipartitition of V (G), denoted by E (5, S), where S CV (G), S = V (G) \ S, and 5 fl 5 = 0. 
We also define the edge-cut 5) as the edge boundary dS of S. The cardinality of dS is 
the number of edges with one endpoint in S and another in S. This quantity is then related 
with the sizes of S and S, yielding a ratio of the proposed cut as 


hc{S) 


mm(|5|, |5|) 


mm(|5|, |5|) 


If we consider this formula for hQ{S ), then the Laplacian matrix is a better consideration. If 
using weights, it is often better to use the normalized Laplacian to account for the distribu¬ 
tion of weights. In this alternate version denoted as h'^^S), the term volume is used instead 
to measure the size of S and S. Let the volume of S be defined as vol(5) = Lve 5 ^(^)- Iii 
analogous manner. 


h'c(S) = 


\E(S,S)\ 


mm(vol(5),vol(S)) 

As the term in the numerator decreases, the overall cut ratio decreases. Thus, an opti¬ 
mal edge-cut translates into removing the fewest edges. This minimum ratio is called the 
Cheeger constant of a graph, i.e.. 


hG = vi\ihG{S) or hr= min hriS), 
s ' ^ 0C5CV(G) ^ 


depending on which version of the Laplacian is used [79,83]. Finding the minimum edge- 
cut is a nontrivial problem, especially when the order gets larger. From the Cheeger con¬ 
stant, we can formulate what is known as the Cheeger inequality. 

Theorem 5.3.2. [79] Let 0 = /ii < /i 2 < ■ ■ ■ < /in be the eigenvalues of the Laplacian and 
Hg be the Cheeger constant of a graph G. Then 


2/?g > At2 > 


^G 

2A(G) ’ 


(5.1) 


where A(G) is the maximum degree of G. If using the normalized Laplacian, then the 
Cheeger inequality is given as 


2h'G >ll2> 



(5.2) 
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This remarkable result gives us an upper bound for /i 2 . In particular, when finding the 
Cheeger constant appears difficult, it can be estimated with /i 2 . Control of /i 2 implies 
control of the Cheeger constant and hence edge-connectivity [93]. A small value for /i 2 
implies a small number of edges needed to disconnect the graph; a large /i 2 implies many 
edges are required in an edge-cut. Cvetkovfc et al. [83] provided a similar result containing 
the edge boundary with the Laplacian eigenvalues: 


/i2- < loSI < jdn - At2 < 


n\dS\ 




(5.3) 


There are many other established bounds on the algebraic connectivity, but we only mention 
one more that relates the diameter and maximum degree of a graph. This result is due 
to Alon Nilli [94], although the notation is borrowed from [83]. If G is connected with 
maximum degree A(G) and diameter d, then 

fl2 < A(G) - 2VA(G) - 1 + 

LIJ 


Largest Eigenvalue 

The largest eigenvalue of A is known as the spectral radius or index of G. Besides the other 
results already mentioned, for a connected graph G that is not regular, we have davg < < 

A(G), where davg this is the average degree of G, the spectral radius of G, and A(G) 
maximum degree of G, respectively [81]. 

Spanning Trees 

A subgraph H of a graph G is a spanning subgraph if it spans all vertices in G, i.e., H and 
G have the same vertex set. If // is a tree^, then it is called a spanning tree. Spanning 
trees have many applications in networks, from design to searching. The total number of 
spanning trees in a graph G, called the complexity of G, is determined by the Laplacian 
spectrum [83]. This result follows from the matrix-tree theorem. 

Theorem 5.3.3. [80-83] Let G be a connected graph with Laplacian matrix L and eigen- 

tree is a connected graph that does not contain cycles. A cycle is a closed circuit, in which vertices 
may be repeated but edges may not. 
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values 0 = /ii < < ... < /i^. Then the number of spanning trees t(G) of G is equal to 

any cofactor of L. Symbolieally, 

t(G) = det(L+ 4-^) = 

where J is the all-ones matrix. The (z, j)-cofactor of a matrix M is given by 
(_l)'+idet(M(z, 7 )), and M{iJ) is obtained by deleting row i and eolumn j. It should also 
be noted that the following relationship also holds: 

adj(L) = T(G)7, (5.5) 

where adj(L) is the adjugate matrix of L, i.e., the transpose matrix of the eofaetors. In this 
theorem, loops are ignored sinee a tree ean not eontain a elosed path. 

Cliques and Independence Number 

A clique (pronouneed kleek or klik) is a eomplete subgraph of a graph G [74]. This ean 
also be thought of as a subset of the vertex set V{G) in whieh all the vertiees are pairwise 
adjaeent. A coclique is a set of pairwise nonadjaeent vertiees in a graph G [81]. The clique 
number (o(G) a graph G is the order of the largest elique in G, while the independence num¬ 
ber a{G) is the order of the largest eoelique in G. We now present some bounds on these 
parameters with respeet to eigenvalues of A. Finding the elique number and independenee 
number of a graph, along with many other graph invariants, are NP-eomplete^®problems. 
However, determining the bounds on the eigenvalues ean be performed in polynomial time. 


Theorem 5.3.4. [83] Let G be a graph on n vertiees. Let zz+ and n denote the number of 
positive and negative eigenvalues of the adjaeeny matrix of G, respeetively. Then 

a{G) <mm{n — n^, n — n^}. (5.6) 


NP-complete problem has a solution that can be verified in polynomial time, but there is no known 
algorithm that can find a solution in polynomial time. NP stands for nondeterministic polynomial time. 
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Theorem 5.3.5. [83] If G is regular, with ordinary spectrum Ai < A 2 < ■ ■ ■ < then 


a(G) < n 


Xn — Al 


(5.7) 


The clique number (o{G) is bounded above by the spectral radius of G [85], i.e., (o{G) < 
A„ + 1. Cvetkovic et al. [83] provided a slight improvement on this bound. 

Theorem 5.3.6. [83] Let trT , m®, m+ denote the number of eigenvalues of a graph G which 
are less than, equal to, or greater than -1, respectively. Let s = min{m^ + m® + 1, nP + 
m+, 1+A„}. Then (o(G) < 5 . If 5 = m + trfi + 1 and the eigenvalues greater than -1 
exceed mT + nfi, then (o(G) < 5 — 1 . 


Theorem 5.3.7. [83,95] If G is a graph with n vertices and m edges, then 


m(G) > 


2 m 

2m-A2' 


(5.8) 


Chromatic Number 

The chromatic number ;^(G) of a graph is the smallest number of colors in a proper coloring 
of G. By a proper coloring, we mean an assignment of colors to the vertices of G, such 
that adjacent vertices are colored differently [74]. Determining the chromatic number of a 
graph is another decision problem, yet it is a classic exercise in graph theory. 

Theorem 5.3.8. [81,96] Let G be a connected graph with largest eigenvalue A„. Then 
X{G) < + 1, with equality if and only if G is complete or is an odd cycle. 

Theorem 5.3.9. [81,83] Let G be a graph with n vertices and at least one edge. Then 

with equality if G is a nontrivial complete graph. 

Vladimir Nikiforov [97] provided another lower bound on the chromatic number involving 
a Laplacian eigenvalue. 
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Theorem 5.3.10. [83,97] Let G be a graph with n vertices. Then 


X{G)>1 + 


A 


n 


l^n Al 


(5.10) 


Number of Walks 

Am — v-walk in a graph G is a sequence of vertices beginning at u and ending at v such 
that consecutive vertices in the sequence are adjacent [74]. A A:-walk is a walk of length k. 
Determining if a graph has a k-walk is an NP-complete problem as well. 

Lemma 5.3.11. [76,83] Let G be a graph with adjacency matrix A. The number of walks 
of length k in G that start at vertex i and end at vertex j is given by the (/, j) entry of 
the matrix A^. 


Am — v-walk is closed if m = v. The number of closed walks of length k is given by [83] 

£A‘ = Af + Aj‘ + ... + A,;. (5.11) 

1-1 

It follows from Lemma 5.3.11 that we can relate the eigenvalues to the number of triangles 

and edges in a graph. In particular, we have + -= 2|£’(G)|, since the trace of 

A^ counts the number of closed walks of length two. Also, + -h = 6|r(G) |, 

where T (G) is the number of triangles in a graph. 

In order to count the total number of walks of length k in a graph, we must first consider the 
product j^A^j, where j is the all-ones vector of length n. Since A is a real symmetric matrix, 
its eigenvalues are associated with orthonormal eigenvectors. Thus, for choice of constants 
Qi, we can substitute for j with j = 1 = where (j)i is the eigenvector corresponding 

to A,. Utilizing this substitution [98], we have that the total number of walks of length k is 



A* 



y i J \ i J i 


Alternate approaches to the total number of walks of length k are given in [77,83]. 
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Strongly Regular Graphs 

A strongly regular graph is an r-regular graph on n vertices with the parameters {n,r,e,f) 
such that any two adjacent vertices have e common neighbors and any two nonadjacent 
vertices have / common neighbors [83]. Examples of strongly regular graphs include the 
5-cycle C 5 with parameters (5,2,0,1) and the Petersen graph with parameters (10,3,0,1). 
The Petersen graph is referenced below in Figure 5.5. 



Theorem 5.3.12. [83,99] Let G be a connected r-regular graph, r > 0. Then G is strongly 
regular if and only if it has exactly three distinct eigenvalues. Furthermore, if these eigen¬ 
values are Ai = r, A 2 = 5 , and A 3 = t, then 

sJ=^{e-f)±s/A A = {e-ff + 4{r-f). 


In the reverse direction, the parameters e and / are given in terms of the eigenvalues as 

^ (r — s)(r — t) 

e = r + s + t + st, f = r + st, n= -. 

r + st 


The multiplicities of r, 5 , t are l,k, I, respectively, where 




2r+{n-l){e-f) 

a/A 


90 







Furthermore, ifk = l (which only happens when A is not a perfect square), then the strongly 
regular graph is called a conference graph. If the graph is not a conference graph, then 
A = (5 — is a perfect square, and r, 5 and t are all integers. 


5.4 Cayley Graphs 

Cayley graphs are named in honor of British mathematician Arthur Cayley (1821-1895). 
Among his many accomplishments, Cayley is best known for his work in developing mod¬ 
em group theory. Cayley is also credited for solidifying matrix theory and making discov¬ 
eries in analytic geometry. 

5.4.1 Definitions 

We first need the idea of a Cayley set in order to define the Cayley graph that we need for 
aBF. 

Definition 5.4.1. [39,41] Let F be a group with identity element e. Suppose C is a subset 
of r. C is called a Cayley set if and only if whenever g G C, then eC, and e ^C. 

Definition 5.4.1 follows in the traditional manner of defining a generating set for a finite 
group, but we modify it by allowing the identity e to be an element of C. This exception 
allows for the presence of loops in the graph [41]. 

Definition 5.4.2. [41] The Cayley graph G = G(r, C) of F with respect to C is the graph 
whose vertex set is F, with two vertices g and h adjacent if gh^^ G C. 

We now proceed to associate the Cayley graph to a BF, / : F 2 —)■ F 2 . Recall that F 2 is a 
vector space, and for any vector w G F^, w = w^^ with respect to the XOR operation. Since 
every vector is equal to its inverse in this group, any subset of F^ is a Cayley set. The subset 
we choose is the support of /, i.e., = {jc G F 2 : f{x) = 1}. We can now define a Cayley 

graph for a BF. 

Definition 5.4.3. [39,41] Let / be a BF on F^. Define the Cayley graph of / with respect 
to the set Q.f as the graph F/^ = (F 2 , Ef). The vertex set of F/ is F^, while the edge set is 
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defined by 


Ef = {(w,m) G F2 X F2 : w©m G Q.f} 

= {(w,m) g F 2 X F 2 : /(w©m) = 1}. 


It follows from Definition 5.4.3 that the adjaceney matrix Ay of Fy is the array of entries 
aij = f{b{i) ©^(j)), where b{i) = a, is the binary representation of the veetor. The adja¬ 
ceney matrix Ay has the following properties [39,41]: 

i) The row sums of Ay are equal to | f2y |; 

ii) Property i) implies that Fy is a regular graph of degree wt{f) = |Qy|; 

iii) Ay has the dyadic property [100]: atj = ^ — 03 — 

iv) Ay is an 2" X 2” symmetric matrix. 


5.4.2 Boolean Cayley Graphs and their Spectra 

For clarity, we now refer to Definition 5.4.3 as the one for Boolean Cayley graphs. BFs 
and their Walsh spectra have been analyzed extensively in the last 50 years, especially with 
regards to their associated cryptographic properties. The Cayley graph has also received 
much attention in the works of Laszlo Babai [101] and Laszlo Lovasz [102], in particular 
with regards to its graph spectra. With the arrival of the Boolean Cayley graph, however, 
we now have a means to examine the graph spectra of a BF. The seminal work on Boolean 
Cayley graphs and their spectra was performed by Bernasconi and Codenotti [41], a sum¬ 
mary of which is presented here. 

Theorem 5.4.4. Let / : F 2 —)■ F 2 , and let A/, 0 < z < 2" — 1, be the eigenvalues of the asso¬ 
ciated Cayley graph Fy. Then, there is a one-to-one correspondence between the spectrum 
of Fy and the Walsh spectrum of /, i.e.. A,- = F{b{i)), for any i. 


Proof: Recall that we defined the group character of F 2 as the function (jc) = (— 1) . 

The eigenvectors of Fy are equal to the characters Qw{x). Then, the zth eigenvalue of A y. 
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corresponding to the eigenveetor Qb{i) is given by 


= Ee»w/w = £(-i)<“'->/w 

X X 

EXAMPLE 5.4.5. Let us use the funetion from Example 4.5.4, f ¥2 with ANF 

given by l©a:i©X 2 . 


F{w)^W(f){w)^ £/(„). 

jceF^ 

F(00) = l(-l)® + 0 + 0+l(-l)0 = 2 
F(01) = l(-l)® + 0 + 0+l(-l)^ =0 
F(10) = l(-l)® + 0 + 0+l(-l)^ =0 
F(ll) = l(-l)® + 0 + 0+l(-l)^ = 2 

Ao = F(00) = 2 
Ai =F(01) =0 
A2 = F(10) =0 
A3=F(11)=2 


We must be eareful here not to eonfuse the subseript notation of the Cayley graph eigenval¬ 
ues with the ordinary speetrum presented in Subseetion 5.3.1. Translating the eigenvalues 
of this funetion to the speetrum notation of an adjaeeney matrix, we have 


Spee r f 



Theorem 5.4.4 is a remarkable result not only because it links BFs to speetral graph the¬ 
ory, but it ean save eomputational time. There are numerous eomputer programs that ean 


93 



quickly compute the WT of a BF. In order to compute the eigenvalues of A f, however, 
we must first collect all of the vector combinations in the support of / and then create the 
2” X 2" matrix. For large n, this can be time consuming. For this thesis, in particular for 
Chapter 6 , Theorem 5.4.4 only holds if we assign a weight of one to a loop in a pseudo¬ 
graph. If a loop is assigned a weight of two, then we do not see a one-to-one correspondence 
between the WT and the Cayley spectra. 

Figure 5.6 depicts the Cayley graph from Example 5.4.5. Using some of the results from 
Section 5.3.1, we can make some comments about this graph. We know that the Cayley 
graph is regular, and using the adjacency matrix for this function, the row sums of Ay are 
two. Thus, Fy is 2-regular. Regularity also implies that r = 2 is an eigenvalue of Fy, and 
all other eigenvalues have absolute value less than or equal to 2. We can clearly see that the 
graph in Figure 5.6 is disconnected. This is verified because the largest eigenvalue A 3 = 2 
does not have multiplicity one. Also, the Laplacian eigenvalues (which in this case happen 
to be the same as the adjacency matrix) tell us that Fy is disconnected since the multiplicity 
of 0 implies that the graph has k{G) = 2 components. With regards to diameter, we do 
not define the diameter of a disconnected graph. However, the diameter of a component is 
possible to examine and since the components of the graph in Figure 5.6 are the same, we 
deduce that the diameter of a component is 1. This is verified with the eigenvalues of an 
adjacency matrix for one component, which are 0 and 2. The diameter is bounded above 
by J — 1, where d = 2 for the number of distinct eigenvalues. In this case, we know that 
diam(G) <2—1 = 1. It is not very helpful to examine Fy with some of the other results 
since the graph is disconnected, but this will be looked at closer in Chapter 6 . 
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Figure 5.6: Cayley Graph Fy for the Function 1 ©.ri ©.r 2 - 


Let {Qf) C F 2 be the space of the (0,1) sequences generated by Qy and let dim(Qy) be 
its dimension [39,41]. Given this, observe that f^y = {00,11} in Example 5.4.5. Since 
the zero vector is not part of a basis, this space has dimension one, i.e., dim(f2^) = 1. 
With this new concept, we can state some more results on Boolean Cayley spectra, taken 
from [39,41]. 

5.4.3 Further Spectral Properties of Boolean Cayley Graphs 

This section lists some other properties relating the Cayley spectra to graph properties as 
well as BF properties. For some of these results, it is assumed that n> 4, and these are 
marked with a (*). 

i*) The multiplicity of the largest spectral coefficient of /, F(^(0)), is equal to 

2^—dim(fly) 

ii) If dim(Qy) = n, then Fy is connected. 

iii*) If Fy is connected, then / has a spectral coefficient equal to -wt{f) if and only if its 
Walsh spectrum is symmetric with respect to zero, 
iv*) Fy is bipartite if and only if the Walsh spectrum of / is symmetric with respect 
to zero. Furthermore, Fy is bipartite if and only if F2\f2y contains a subspace of 
dimension n — I. 

V*) The number of nonzero spectral coefficients is equal to rank(Ay). 
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vi*) If has two distinct eigenvalues, then its eonneeted eomponents are eomplete 
graphs and U {^(0)} is a group. 

vii*) If Fy has three distinet eigenvalues none of whieh is zero, then these eigenvalues are 

Ao = |f^/| = wt(/), A2 = —Ai = —e, 

where e is the parameter of a strongly regular graph, 
viii*) A BF defined on F 2 (n even) is bent if and only if its assoeiated Cayley graph Fy is a 
strongly regular graph with the additional property that e = f. 
ix) Assume n > 4. IfFy is triangle free, then / is not bent. 

X*) If Fy is the Cayley graph of / with eigenvalues Ai < < ■ ■ ■ < Av and g being the 

multiplieity of Ai, then 

min|g+l,l-^^| < A(Fy) < |%|, 

provided Av_i 0. 

xi*) A BF is correlation immune of order i if and only if the eigenvalues of its assoeiated 
Cayley graph satisfy A, = 0 for all i with 1 < wt{b{i)) < £. Resilieney follows if 
Ao = 2"-i. 
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CHAPTER 6: 
DES Spectra 


In this chapter, the S-Boxes of DES are examined in several ways. First, we find the BE 
representation for eaeh of the eoordinate funetions within an S-Box. The relevant eryp- 
tographie properties of these funetions are then eomputed and eompared to eaeh other. 
Seeond, we assoeiate the BFs to a Cayley graph and examine the speetra of these graphs. 
With the spectra and cryptographic properties of the funetions on hand, we ean deduee 
some properties of the Cayley graph. 

6.1 Methods 

Reeall from Chapter 4 that an S-Box is a funetion / : F'j —)■ F^. For DES, this funetion 
is F : F 2 —)■ F 2 . Eaeh of the boxes eontains four eoordinate BFs, represented as F{x) = 
(/i(jc),/ 2 (jc),/ 3 (jc),/ 4 (jc)), where eaeh /,■ is a mapping from the veetor spaee F 2 to the 
binary field F 2 , i.e., /j-: F^ —)■ F 2 . As an example of our approaeh, reeonsider S-Box 1 from 
Table 3.10, displayed for the reader below. 


S-Box 1 

ROW/COE 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1110 

0100 

1101 

0001 

0010 

nil 

1011 

1000 

01 

0000 

nil 

0111 

0100 

1110 

0010 

1101 

0001 

10 

0100 

0001 

1110 

1000 

1101 

0110 

0010 

1011 

11 

nil 

1100 

1000 

0010 

0100 

0100 

0001 

0111 

ROW/COE 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1010 

0110 

1100 

0101 

1001 

0000 

0111 

01 

1010 

0110 

1100 

1011 

1001 

0101 

0011 

1000 

10 

nil 

1100 

1001 

0111 

0011 

1010 

0101 

0000 

11 

0101 

1011 

0011 

1110 

1010 

0000 

0110 

1101 


Sinee eaeh eoordinate funetion has a total of 2° input veetors, the S-Box entries represent 
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the 64 output bits to these funetions. Thus, as a truth table funetion, /i has the following se¬ 


quence of outputs: (1,1,1,0,0,1,0,0,1,1,0,1,0,0,0,1,0,0,1,0,1,1,1,1,1,0,1,1,1,0,0, 
0,0,0,1,1,1,0,1,0,0,1,1,0,1,1,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,1,1,1), corresponding to 


the entries of the first (00) row in S-Box 1. 


The ordering of input variables we choose is in reverse order, i.e., f{x^^xs^XA^x^^X 2 ^x\). 
Again, the ordering of the variables is unimportant. Table 6.1 depicts the first 10 entries of 
the truth table for /i as an explanation of the variable ordering. 


X6 

-^5 

X 4 

-^3 


Xl 

/ 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

1 

1 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

1 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

1 

1 

0 

0 

0 

1 

1 

0 

0 

0 

0 

0 

1 

1 

1 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

1 

0 

0 

1 

1 


Table 6.1: First 10 Truth Table Entries for S-Box 1. 


The unique truth table output is then input into a software program to compute the various 
cryptographic properties of the BFs. For this thesis, multiple programs are used for analysis 
in order to verify accuracy, and these include SageMathCloud'^’^, R® and R-Studio®, as 
well as Boolean Functions Workshop 1.3®. The adjacency matrix is then formed from 
the definitions in Chapter 5. Note that for any vector w in F^, w© w = 0 over the binary field 
F 2 . Thus, since an edge (w,m) is present in the associated Cayley graph if f{w®u) — 1, 
then f{w®w) = 1 implies the presence of a loop. Hence, if the first output in a function’s 
truth table sequence is a one, then the associated Cayley graph has a loop at every vertex. 

The adjacency matrix is then input into MATFAB®, where the eigenvalues are computed 
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and compared to the corresponding function’s WT for verification. The adjacency matrix 
is also imported into MATLAB® and Gephi® to produce a graph. 


6.2 DES S-Box Spectra 

This section details the results obtained via the methods in Section 6.1. Each S-Box is 
given its own subsection for reader clarity. Recall that the notation we adopt for spectra is 
given by Definition 5.3.1. 

6.2.1 S-Box 1 

The ANFs for the coordinate functions are displayed in Table 6.2. 


Function 

ANF 

Number of Terms 

Degree 

/i 

1 © X 3 © X 5 © X6 © XiX 2 © X1X3 © X2X4 © 

X2X5 © X4X5 © X2X6 © X5X6 © X1X3X4 © 

X2X3X4 © X1X3X5 © X2X3X5 © X1X4X5 © 

X3X4X5 ©X 1 X 2 X 6 ©X 2 X 3 X 6 ©X1X4X6 ©X 2 X 4 X 6 © 

X1X5X6 © X4X5X6 © X1X2X3X5 © X1X3X4X5 © 

X2X3X4X5 © X1X3X4X6 © X2X3X5X6 © X1X4X5X6 © 

X1X2X3X4X5 ©X1X2X3X5X6 

31 

5 

h 

X3 + X5 + X6 + X1X4 + X2X4 + X3X4 + X1X6 + 

X5X6 + X1X2X4 + X2X3X4 + X 1 X 2 X 5 + X2X3X5 + 

X1X4X5 +X3X4X5 +X2X3X6 +X2X5X6 +X4X5X6 + 

X1X2X4X5 +X2X3X4X5 +X1X2X4X5 +X1X3X4X6 + 

X2X3X4X6 +X1X2X5X5 +X2X3X5X5 +X1X4X5X6 + 

X2X4X5X5 +X1X2X3X4X6 +X1X2X4X5X6 

28 

5 

h 

Xi + X 4 + X5 + X6 + X1X2 + X1X3 + X1X4 + 

X1X5 + X2X5 + X3X5 + X1X5 + X4X6 + X2X3X4 + 

X1X4X5 +X1X2X6 +X1X3X6 +X2X3X6 +X2X4X6 + 

X3X4X6 + X1X5X6 + X1X2X3X5 + X1X3X5X6 + 

X1X4X5X6 + X1X2X3X4X5 + X1X2X3X4X6 + 

X1X2X3X5X6 

26 

5 

h 

1 + X5 + X6 + X2X3 + X1X4 + X2X4 + X3X4 + 

X1X5+X3X5+X1X6+X3X6+X1X2X4+X1X3X4 + 

X2X3X4 +X1X2X5 +X2X4X5 +X2X3X6 +X3X4X6 + 

X1X5X6 + X3X5X6 + X4X5X6 + X1X2X3X5 + 

X1X2X4X5 +X2X3X4X5 +X1X2X3X6 +X1X2X4X6 + 

X1X3X4X6 +X1X2X5X6 +X1X3X5X5 +X1X4X5X6 + 

X2X4X5X6 +X1X2X3X4X5 +X1X2X4X5X6 

33 

5 


Table 6.2: ANF and Degree of S-Box 1 BFs. 
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Tables 6.3, 6.4, 6.5, and 6.6 display the various spectra for these same functions as well as 
their relevant cryptographic criteria. 


Function 

Walsh Spectra and Walsh-Hadamard Spectra 

/i 

W: (32,0,0,0,0,0,-4,-4,2,2,-2,-2,-2,-2,-2,-2,0,0,4,-4,8,0,0,0,-2,6,-2,-2,2,2,-2,6,2,2,2,2, 

6.6.2.2.0,0,4,-12,-8,8,0,0-2,-10,2,2,2.2.10.2.0.0,8,0,8,0,-4,-4) 

WH: (O.O.O.O.O.0.8.8,-4,-4,4,4,4,4,4,4,0,0.-8.8,-16.0.0.0.4,-12,4,4,-4,-4,4,-12,-4,-4,-4,-4, 

- 12,-12,-4,-4,0,0,-8,24,16,-16,0,0,4,20,-4,-4,-4,-4,-20,-4,0,0,-16,0,-16,0,8,8) 

h 

W: (32,0,0,0,2,2,2,2,0.4.0.-4.-6.6.2,6,2,2,2,-6,-8,0,0,0,-2,2.-2,2,-4,0,-4,0.0.-4.0. 

-4,2.-2.2.-2.0,8,0,0,-6,-6,2,-6,-2,-6,-2,2,-4,0,-12,0,2,-6,2,10.-8.0.8,0) 

WH: (0,0,0,0,-4,-4.-4,-4,0,-8,0,8,12,-12,-4,-12,-4,-4,-4,12,16,0,0,0,4,-4,4,-4,8,0,8,0,0,8,0, 

8,-4,4,-4,4,0,-16,0,0,12,12,-4,12,4,12,4,-4,8,0,24,0,-4,12,-4,-20,16,0,-16,0) 

h 

W: (32,0,0,0,4,-4,0,0,2,-2.2.-2.2.-2.-2.2.2.-2.6,2,2,6,2,-2,-4,-4,0,0,0,0,0,-8,-2.2,2.-2. 

-2,2,6,-6,-4,-12,0,0,0,0,8,8,-8,0,0,0,4,-4,0,-8,-2.2,-10,2,-10,2,2,-2) 

WH: (0.0.0.0.-8.8,0,0, -4,4, -4,4, -4,4,4, -4, -4,4, -12, -4, -4, -12.-4.4.8.8.0,0,0,0,0,16,4, -4, -4,4, 

4,-4,-12,12,8,24,0,0,0,0,-16,-16,16,0,0,0,-8,8,0,16,4,-4,20,-4,20,-4,-4,4) 

U 

W: (32,0,0,0,-2,-2,-2,-2,0,0,4,4,6.-2.2.-6,4.4,0,0,2,-6,-2,6,8,-8,0,0,-2,-2,-2,-2,-2,-2,2, 

2,0,0,4,4,6,-2,6,-2,0,0,-8,-8,-2,6,6,-2,8,8,0,0,2,2,-2,-2,4,4,-8,8) 

WH: (0.0.0.0.4,4,4,4,0,0,-8,-8,-12,4,-4,12.-8.-8.0.0.-4.12,4,-12,-16,16,0,0,4.4.4.4.4,4,-4, 

-4,0,0,-8,-8,-12.4,-12,4,0,0,16,16,4,-12,-12,4,-16,-16,0,0,-4,-4,4,4,-8,-8,16,-16) 


Table 6.3: Walsh Spectra and Walsh-Hadamard Spectra of S-Box 1 BFs. 


Function 

Cayley Graph Spectra (Ai < A 2 < < A„) 

Distinct A, 

/i 


( -12 -10 -8 -4 -2 0 2 4 6 8 10 32 ^ 

\ 1 1 5 11 18 15 2 4 4 1 1 y 


12 

fi 


/ -12 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

\ \ 2 7 6 6 19 16 1221 iy 


12 

h 

1 

^ -12 -10 -8 -6 -4 -2 0 2 4 6 8 32 ' 

^ 1 2 3 1 5 11 18 15 2 3 2 1 ^ 

r 

12 

/4 

/ -8 -6 -2 0 2 4 6 8 32 \ 

\ 4 2 18 15 6864 ly 

9 


Table 6.4: Cayley Graph Spectra of S-Box 1 BFs. 
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Table 6.5: Laplacian Spectra of Cayley Graphs Associated with S-Box 1 BFs. 


Crypto Property 

/i 

fi 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

20 

20 

20 

24 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.6: Cryptographic Properties of S-Box 1 BFs. 


Figure 6.1 represents the Cayley graph for the first row BF. Due to software limitations, 
loops are not present. 
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Figure 6.1: Cayley Graph Representation for /i of S-Box 1, Loops Not Present. 


Spectral Observations 

Here we state some observations from the Cayley graphs of S-Box 1 with the relations 
given in Chapter 5. 

Regularity: The Cayley graphs associated with all of the 32 BFs are regular of degree 
wt(/) = |%|=32. 

Connectivity: This is apparent from the first graph in Figure 6.1, but all graphs Fy are 
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connected since the multiplicity of = 32 is 1 (also /i 2 > 0 and dim(f2/^) = 6). 
Additionally, since m(/ii) = 1, then F f has one component. Since none of the Walsh 
spectra are symmetric with respect to zero, we do not see any Cayley spectra where 
Xi = -32. 

Bipartite: None of the graphs are bipartite since the Walsh spectra is not symmetric with 
respect to 0. 

Rank: The ranks of the adjacency matrices A f. are equal to 46,45,46, and 49, respectively. 

Diameter: The diameters of the Cayley graphs associated with S-Box 1 are bounded ac¬ 
cording to the following inequalities: 

0.0028 < Diam(r/) < 12 - 1 = 11; 

0.0028 < Diam(r/) < 12 - 1 = 11; 

0.0026 < Diam(r/) < 12 - 1 = 11; 

0.0026 < Diam(r/) <9-1 = 8. 

Using SageMathCloud^M^ we determine the diameter to be 2 for all four of the Cayley 
graphs. 

Edge Connectivity: Since /i 2 is 22 or 24, we have an idea for the number of edges needed 
in an edge-cut of the Cayley graphs. 

Spanning Trees: The Cayley graphs for these functions have large complexities. Chap¬ 
ter 5 provided a formula for the number of spanning trees in a graph in terms of the 
nonzero Laplacian eigenvalues. It is also known that for r-regular graphs of order n, 
the complexity of the graph G is bounded above [76] by 



1(G) < 


1 

n 



The number of spanning trees in these graphs are approximately 2.277 x 10^^, 1.731 x 
10^^, 1.7648 X 10^^, and 2.2708 x 10^^. These complexities achieve close to the up¬ 
per bound of 2.8129 X 10^^, but interestingly r/4 has the smallest complexity and 

"For many of these graph properties, we consider only the underlying simple graph for those pseudo¬ 
graphs with loops, since many graph parameters are only defined on simple graphs. 
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also the smallest number of distinct eigenvalues (and consequently a tighter upper 
bound on diameter). 

Clique and Independence Number: We have bounds for the clique number based off the 
details in Chapter 5, and these are universal for all of the S-Boxes since they are in 
terms of the spectral radius. Thus, we have 2 < £t)(r f) < 33 for the entire set of 
S-Boxes. This bound is not ideal, since we would like a tighter interval. Methods 
are available, however, for computing the clique number of a graph with the aid of 
NetworkX® and Python™. Using SageMathCloud™, we compute the clique number 
to be 8 for all four graphs, i.e., (o{rf) = S. For the independence number, we have 
an upper bound based on the inequality in Chapter 5 for regular graphs. Hence, 
a(r f) is bounded above by 17.4545,17.4545,17.4545, and 12.8, respectively. Using 
the Independent Set Algorithm® by Dharwadker [103], however, the independence 
number is found to he a{rf) = S for the S-Box 1 Cayley graphs. 

Chromatic Number: The bounds for x{G) given in Chapter 5 give us that 3.6 < x{h'f) < 
32. We can increase the lower bound slightly since it is known that ^ < X- Hence, 
8 < z(r/) < 32. Using SageMathCloud™, we compute the chromatic number also 
to be 8 for all four graphs. 

6.2.2 S-Box 2 

In this subsection, we mimic the approach taken in Subsection 6.2.1, with less explanation. 

S-Box 2 is displayed in Table 6.7. 


S-Box 2 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

nil 

0001 

1000 

1110 

0110 

1011 

0011 

0100 

01 

0011 

1101 

0100 

0111 

nil 

0010 

1000 

1110 

10 

0000 

1110 

0111 

1011 

1010 

0100 

1101 

0001 

11 

1101 

1000 

1010 

0001 

0011 

nil 

0100 

0010 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1001 

0111 

0010 

1101 

1100 

0000 

0101 

1010 

01 

1100 

0000 

0001 

1010 

0110 

1001 

1011 

0101 

10 

0101 

1000 

1100 

0110 

1001 

0011 

0010 

nil 

11 

1011 

0110 

0111 

1100 

0000 

0101 

1110 

1001 


Table 6.7: S-Box 2 in Binary Form. 
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The BFs in S-Box 2 are converted to their ANFs in Table 6.8. Tables 6.9, 6.10, 6.11, and 
6.12 follow in the same manner as before. 


Function 

ANF 

Number of Terms 

Degree 

/i 

1 © V3 © X5 © XiX4 © X2X4 © X3X4 © X1X5 © 

X2X5 © XlXf, © X2X(, © X4V6 © X5V6 © X1X2X3 © 

X1X2X4 ©X1X3V4 ©X2X3X4 ©X2X3X5 ©X2X4X5 © 

X 2 X 4 Xe © X3X4V6 © .r 2 .^ 5.^6 © X1X2X3X4 © 

X1X2X4V5 ©X2X3X4X5 ©V1X3X4V6 ©X2X3X4X6 © 

X1X2X2X4X5 S)XiX2X2X5X^ 

28 

5 

fi 

X2 © X3 © X5 © X6 © X1X4 © X2X4 © X3X4 © 

X2X5 © X4X6 © X1X2X2, © X1X2X4 © X2X2X4 © 

X2X3X5 ©X2X3X6 ©X1JC4V6 ©X3X4X6 ©X1JC5X6 © 

X2X5X(i © X1X2X2X4 © X1X3X4V5 © X2X2,X4X5 © 

XiX2X2X(i Q) XiX 2 X 4 X(i 

23 

4 

h 

X3 © X5 © X1X4 © X2X4 © X1X5 © XlX(, © 

X4V6 © XIX2X3 © XIX2X4 © X2X3X4 © X2X3X6 © 

XiXsXf, © X2X5V6 © X1X2X3X4 © X1X2V4X6 © 

XiX 3 X 4 X(,®XiX 3 X 5 X(, ©X2X3X5X6 ©X 2 V 4 X 5 .X :6 © 

X1X2X3X5JC6 ® XiX2X4X3X^ 

21 

5 

/4 

1 © X2 © X5 © XiX2 © X1X3 © X1X4 © X2X4 © 

X3X4 © X3X3 © X1V6 © X2X(, © X3X6 © X4X6 © 

X1X2X4 © X1X2X5 © X1X3X5 © X2X3X5 © 

X1X3X6 © X2X3X(, © XiX4X(, © X3X4X6 © 

X1V5X6 © X1X2V3X4 © X1X3X4X3 © XiX2X3X(, © 

X1X2X4V6 ©XiX3X4a:6 ©X2X3X4X6 ®X2X4X3X(i © 

X1X2X3V4X5 © JC1X2X3V4X6 © X1X2X3X5X6 © 

X1X2X4X5X6 

33 

5 


Table 6.8: ANF and Degree of S-Box 2 BFs. 
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Function 

Walsh Spectra and Walsh-Hadamard Spectra 

/i 

W: (32,0,0,0,0,0,0,0,2.-2.-2.2.6.2.10,-2,4,0,0,4,-4,8,0,4,2,-6,-6,2.6.-2.-2.6. 

2,2,-2,-2,2,2,-2,-2,4,0,-4,0,0,-4,0,-12,-2,2,6,2,6,-6,6,2,-4,-4,0,0,8,8,-4,-4) 

WH: (O.O.O.O.O.O.0,0,-4,4,4,-4,-12,-4,-20,4,-8,0.0.-8.8.-16,0,-8,-4,12,12,-4,-12,4,4,-12. 

-4,-4,4.4.-4.-4.4.4.-8,0,8,0,0,8,0,24,4,-4,-12.-4.-12.12,-12,-4,8,8,0,0,-16,-16,8.8) 

h 

W: (32,0,0,0,0,0,0,0,0,0,0,0,8,0,0,-8,-4,-4,0,0,-4,-4,0,0,0,0,4,4,0,8,-4,4,4,0,0,-4,-4,0,0,4, 

4.0.-8.4.4.0.-8.4.4,-8,-4.0.-4.8.-4.-8,0,4,0,4,-8,-4,-8,-4) 

WH: (O.O.O.O.O.O.0.0,0,0,0,0,-16,0,0.16.8.8.0.0.8,8,0,0,0,0,-8,-8,0,-16.8.-8.-8.0.0.8.8.0,0,-8, 

-8,0.16.-8.-8.0.16.-8.-8.16,8,0,8,-16.8.16.0.-8.0.-8.16,8,16,8) 

h 

W: (32,0,0,0,-2,-2,2,2,-6,2,2,2,0,0,-4,4,0,0,4,-4,-2,-10,-2,-2,-2,-2,2,2,-4,-4,-4,-4,0,0,0,0, 

2,2,-2,-2,-2,6,6,-10,-8,8,-4,4,4,4,-8,0,-10,-2,-2,-2,-2,-2,2,2,0,0,8,8) 

WH: (0,0,0,0,4,4,-4,-4,12,-4,-4,-4,0,0,8,-8,0,0,-8,8,4,20,4,4,4,4,-4,-4,8,8,8,8,0,0,0,0, 

_ 4,-4,4^4^4^_ 12,-12,20,16,-16,8,-8,-8,-8,16,0,20,4,4,4,4,4,-4,-4,0,0,-16,-16) 

U 

W: (32,0,0,0,2,2.-2,-2,2,-2,-2,2,-4,0.-4.8.2.2.2,2,8,0,-4,4,0,4,4,0,6,-6,6, 

2.-2.2.-2.2.0,-4,4,0,8,0,4,4,2,-6,-6,-6,-4,0,4,8.2.6.6.-6.-6.-6.6,-2,0,-8,0,0) 

WH: (O.O.O.O.-4.-4.4.4.-4.4.4,-4,8,0.8,-16,-4,-4,-4,-4,-16,0.8.-8.0.-8.-8.0.-12.12,-12, 

-4,4,-4,4,-4,0,8,-8,0,-16,0,-8,-8,-4,12,12,12,8,0,-8,-16,-4,-12,-12,12,12,12,-12,4,0,16,0,0) 


Table 6.9: Walsh Spectra and Walsh-Hadamard Spectra of S-Box 2 BFs. 


Function 

Cayley Graph Spectra (Ai < A2 < < A„) 

Distinct A, 

/i 


/ -12 -6 -4 -2 0 2 4 6 8 10 32 \ 

\ \ 3 7 10 16 12 4 6 3 1 1 J 

11 

fi 

/ -8 -4 0 4 8 32 \ 

y 7 12 29 12 3 1 y 

6 

h 


^ -10 -8 -6 -4 -2 0 2 4 6 8 32 \ 

^ 3 2 1 7 15 14 11 5 2 3 1 y 

11 

U 

/ -8 -6 -4 -2 0 2 4 6 8 32 \ 

\ 1 7 5 7 14 13 754iy 

10 


Table 6.10: Cayley Graph Spectra of S-Box 2 BFs. 
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Function 

Laplacian Spectra (/ii < /i 2 < < j^n) 

/i 


y 0 22 24 26 28 30 32 34 36 38 44 \ 

3 6 4 12 16 10 7 3 1 ) 

fi 

/ 0 24 28 32 36 40 \ 

\ \ 3 12 29 12 7 y 

h 


0 24 26 28 30 32 34 36 38 40 42 \ 

{1 2 3 5 11 14 15 7 1 2 3 J 

h 

/ 0 24 26 28 30 32 34 36 38 40 \ 

yi4 5 7 13 14 7 5 7 1 J 


Table 6.11: Laplacian Spectra of Cayley Graphs Associated with S-Box 2 BFs. 


Crypto Property 

/i 

h 

fs 

/4 

Degree 

5 

4 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

20 

24 

22 

24 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.12: Cryptographic Properties of S-Box 2 BFs. 


Figure 6.2 represents the Cayley graph for the second row BF. Since all of these Cayley 
graphs are 32-regular, we omit the remaining graphical representations from this thesis. 
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Figure 6.2: Cayley Graph Representation for /2 of S-Box 1. 
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Spectral Observations 

We deviate here for the seeond S-Box and present the results in table format without bounds 
where appropriate. 


Graph Parameter 

T/: 

l-H 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

48 

35 

50 

50 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r j) 

2.2642 X 10*^2 

1.7368 X 10^3 

1.8851 X 10^3 

2.2737 X 10*^2 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.13: Properties of Cayley Graphs Assoeiated with S-Box 2 BFs. 


6.2.3 S-Box 3 

S-Box 3 is displayed in Table 6.14. 


S-Box 3 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1010 

0000 

1001 

1110 

0110 

0011 

nil 

0101 

01 

1101 

0111 

0000 

1001 

0011 

0100 

0110 

1010 

10 

1101 

0110 

0100 

1001 

1000 

nil 

0011 

0000 

11 

0001 

1010 

1101 

0000 

0110 

1001 

1000 

0111 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0001 

1101 

1100 

0111 

1011 

0100 

0010 

1000 

01 

0010 

1000 

0101 

1110 

1100 

1011 

nil 

0001 

10 

1011 

0001 

0010 

1100 

0101 

1010 

1110 

0111 

11 

0100 

nil 

1110 

0011 

1011 

0101 

0010 

1100 


Table 6.14: S-Box 3 in Binary Form. 
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The BFs in S-Box 3 are converted to their ANFs in Table 6.15. Tables 6.16, 6.17, 6.18, and 
6.19 follow in the same manner as before. 


Function 

ANF 

Number of Terms 

Degree 

/i 

1 © © X3 © V5 © © XiX3 © X2X4 © 

X3X4 © X2X5 © X3X5 © X4X5 © XlX(, © X4X6 © 

X2X3X4 ®X 1X4X5 ®XlX2X(, ©X1X3X6 ©X2X3X6 © 

X3X4X6 ©X1X5V6 ©X2X5X6 ©X3X5X6 ©X4X5X6 © 

X1X2X3X4 ©X2X3X4X5 ©X1X2X4V6 ©X1V3V4X6 © 

X2X3X5X(, (B X1X2X3X4X5 ©X1X2X4X5X6 

30 

5 

fi 

1 © X2 © X3 © X4 © X5 © © X1X2 © X1X3 © 

X2X4 ©X3JC5 ©X4X5 ©X4X6 ©V1X2X4 ©X2X3X4 © 

X1X2X5 (BX2X3X5 ©X1JC4V5 ©V2X4V5 ©JC3JC4V5 © 

XiX4X(i © X4X5X^ © X1X2X3X5 © X1X2X4X5 © 

X1X3X4V5 ©X2X3V4X5 ©X2X3X4X6 ©X2X4X5X6 © 

xiX 2 .r 3 X 4 a :5 ©X1JC2X3JC4V6 

29 

5 

h 

1 ©X2 ©X3 ©X4 ©X1JC2 ©X1X3 ©JC1X4 ©X2X4 © 

X1X5 ©X3V5 ©X1X6 ©X2X6 ©X5V6 ©JC1X2X3 © 

X1X3X4 ©X2X3X4 ©X2X3X5 ©X2X4V5 ©X1X5X6 © 

X3X5X(, © X1X2X4JC5 © JC2X3JC4X5 © X1X2X3XQ © 

X2X3X4V6 ©X1X2X5X6 ©X1X3X5V6 ©X2X3V5X6 © 

XiX 2 X 3 V 4 a :5 ©X1X2X3X4X6 

29 

5 

h 

X3 © X4 © XIX2 © XIX3 © X2X4 © XIX5 © X2X5 © 

XlX(, © X5X6 © X1JC2X3 © X1X3X4 © X2X3X4 © 

XIX2X5 © XIX3X5 © X2X4X5 © X1X4X6 © 

X2X4.x:6 © X1X5X6 © X2X5X6 © X1X2X3X5 © 

X1X2X4X5 ©X1X3X4X5 ©X2X3X4X5 ©X1X2X5X6 © 

X1X2X3X5X6 ©X1X2X4X5X6 

26 

5 


Table 6.15: ANF and Degree of S-Box 3 BFs. 
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Function 

Walsh Spectra and Walsh-Hadamard Spectra 

/i 

W: (32,0,0,0,2,6,-2,2,-4,0,-4,0.2.2.-2.-2.0.0,4,4,-6,-2,2,6,-4,0,0,4,2,2,-6,-6, 

2.2.-2.-2.4.0,4,0,-6,6,-2,-6,0,0,8,-8,-6,10,2.2.4.0.-8.4,2,-2,2,-2,8,8,4,4) 

WH: (0,0,0,0,-4,-12,4,-4,8,0.8.0,-4,-4,4,4,0,0,-8,-8.12,4,-4,-12,8,0,0,-8,-4,-4,12,12, 

-4,-4^4,4,-8.0,-8.0,12,-12,4,12,0,0,-16,16,12,-20,-4,-4,-8,0,16,-8,-4,4,-4,4,-16,-16,-8,-8) 

h 

W: (32,0,0,0,0,-4,0,-4,0,0,0.0.0.4.0,4,-2,-2,2,2,-6,-2,-2,2,2,2,-2,-2,6,2,2.-2,-2.-2,-2. 

-2,-2,2,-2,2,6,-10,-2,-2,6,2,-2,10,4,-4,0,8,0,4,12,0.8,0,4,-4,-4,-8,8,4) 

WH: (0.0.0.0.0,8,0,8,0,0,0,0,0,-8,0,-8,4,4.-4.-4.12.4,4,-4,-4,-4,4,4,-12,-4,-4,4,4,4,4, 

4,4,-4,4,-4,-12,20,4,4,-12,-4,4,-20,-8,8,0,-16,0,-8,-24,0,-16,0,-8,8,8,16,-16,-8) 

h 

W: (32,0,0,0,0,0,0,0,4.0.0.4.0,-4,4,8,-2,-2,2,2,2,2,-2,-2,2.-2,-6,-2,10,6.2.6. 

-2,-2,2.2.-2.-2.2.2.6,2,6,-6,-6,6,2,6,4,-4,4,-4,0,-8,8,0.-4.0.0.-4.4.-8.-8.4) 

WH: (0.0.0.0.0.0.0.0,-8,0,0,-8,0,8,-8,-16,4,4.-4.-4.-4.-4.4.4.-4.4.12.4.-20,-12,-4,-12, 

4,4,-4,-4,4,4,-4,-4,-12,-4,-12,12,12,-12,-4,-12,-8,8,-8,8,0,16.-16.0,8,0,0,8,-8,16,16,-8) 

U 

W: (32,0,0,0,-2,2,2.-2.2.-2.-2.2.-4.-4.-4.-4.0.0.0.0.2,-10,6,2,-2,2,2,-2,-12.-4.-4.4.-4.0.0. 

4.2.-6.2,2,-2,6,-2,-2,0,-4,-4,-8,-4,0,0,4,6,-2,-10,6,2.2.-6.2.0.4,4,8) 

WH: (0,0,0,0,4,-4,-4,4,-4,4,4,-4,8,8.8.8,0,0,0,0,-4,20,-12,-4,4,-4,-4,4,24,8,8,-8,8,0,0, 

-8,-4,12,-4,-4,4,-12,4,4,0,8.8,16,8,0,0,-8,-12,4,20,-12,-4,-4,12,-4,0,-8,-8,-16) 


Table 6.16: Walsh Spectra and Walsh-Hadamard Spectra of S-Box 3 BFs. 


Function 


Cayley Graph Spectra (Ai < A 2 < < A„) 


Distinct A, 


/i 



0 2 4 6 8 10 32 

14 13 9 3 3 1 1 


11 


/2 


-10 -8 -6 -4 -2 0 2 4 6 8 10 12 32 

1 1 1 5 16 15 10 6 3 3 1 1 1 


13 


fs 


-8 -6 -4 -2 0 2 4 6 8 10 32 
3 3 5 10 14 12 7 6 2 1 1 


11 


/4 


-12 -10 -8 -6 -4 -2 0 2 4 6 8 32 

1 2 1 2 10 10 13 14 5 4 1 1 


12 


Table 6.17: Cayley Graph Spectra of S-Box 3 BFs. 
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Table 6.18: Laplacian Spectra of Cayley Graphs Associated with S-Box 3 BFs. 


Crypto Property 

/i 

fi 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

20 

22 

20 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.19: Cryptographic Properties of S-Box 3 BFs. 


Spectral Observations 

Table 6.20 depicts the relevant properties of the Cayley graphs associated with the S-Box 3 
BFs. 
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Graph Parameter 

T/. 

T/, 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

50 

49 

50 

51 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r/) 

2.2695 X 10^2 

2.2106 X 10*^2 

2.2699 X 10^2 

1.761 X 10^3 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.20: Properties of Cayley Graphs Assoeiated with S-Box 3 BFs. 


6.2.4 S-Box 4 

S-Box 4 is displayed in Table 6.21. 


S-Box 4 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0111 

1101 

1110 

0011 

0000 

0110 

1001 

1010 

01 

1101 

1000 

1011 

0101 

0110 

nil 

0000 

0011 

10 

1010 

0110 

1001 

0000 

1100 

1011 

0111 

1101 

11 

0011 

nil 

0000 

0110 

1010 

0001 

1101 

1000 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0001 

0010 

1000 

0101 

1011 

1100 

0100 

nil 

01 

0100 

0111 

0010 

1100 

0001 

1010 

1110 

1001 

10 

nil 

0001 

0011 

1110 

0101 

0010 

1000 

0100 

11 

1001 

0100 

0101 

1011 

1100 

0111 

0010 

1110 


Table 6.21: S-Box 4 in Binary Form. 


Table 6.22 lists the ANFs for the BFs of S-Box 4. 
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Function 

ANF 

Number of Terms 

Degree 

/i 

Xl © X2 © X3 © X4 © XlX2 © X1X3 © X1X4 © 

X2X4 © X1X5 © X2X5 © X3X5 © XlXg © X2X6 © 

X3X6 © X5X6 © X1X3X4 © X2X3X4 © X1X2X5 © 

X2X3X5 ©X1X3X6 ©X2X3X6 ©X3X4X6 ©X2X5X6 © 

X3X5X6 © X1X2X3X4 © X2X3X4X5 © X1X3X4X6 © 

X2X3X4X6 ©X1X2X5X6 ©X1X3X5X6 ©X2X3X5X6 © 

X1X4X5X6 © X2X4X5X6 © X1X2X3X4X5 © 

X1X2X3X5X6 

35 

5 

h 

1 ©X2 ©X5 ©Xg ©X1X2 ©X1X3 ©X1X4 ©X2X4 © 

X3X4 © X1X5 © X3X5 © XlXg © X2X6 © X5X6 © 

X1X3X4 ©X1X2X5 ©X2X3X5 ©X1X3X6 ©X2X3X6 © 

X4X5X6 © X1X2X3X4 © X1X3X4X6 © X2X3X4X6 © 

X1X2X5X6 ©X1X3X5X6 ©X1X4X5X6 ©X2X4X5X6 © 

X1X2X3X4X5 ©X1X2X3X5X6 

29 

5 

h 

1 © Xl © X3 © X2X3 © X2X4 © X1X5 © X2X5 © 

X3X5 © X4X5 © XlXg © X4X6 © X5X6 © X1X3X4 © 

X1X3X5 ©X1X4X5 ©X2X4X5 ©X3X4X5 ©X2X3X6 © 

X2X5X6 © X4X5X6 © X1X2X3X5 © X1X2X4X5 © 

X1X3X4X5 ©X2X3X4X5 ©X1X2X3X6 ©X1X3X4X6 © 

X2X3X4X6 ©X2X3X5X6 ©X1X4X5X6 ©X2X4X5X6 © 

X1X2X3X4X5 ©X1X2X3X5X6 

32 

5 

fA 

X2 © X3 © X5 © Xg © X2X3 © X2X4 © X3X4 © 

X1X5 © X2X5 © XiXg © X4Xg © XgXg © X1X3X4 © 

X1X3X5 ©X2X3X5 ©X1X4X5 ©X3X4Xg ©X2X5Xg © 

X1X2X3X5 ©X1X2X4X5 ©X1X3X4X5 ©XlX2X3Xg © 

XiX3X4Xg ©X2X3X4Xg ©XiX4X5Xg ©X2X4X5Xg © 

X1X2X3X4X5 ©XlX2X3X5Xg 

28 

5 


Table 6.22: ANF and Degree of S-Box 4 BFs. 


Figure 6.3 displays the Walsh-Hadamard speetra of the S-Box 4 BFs obtained from R®. It 
is assumed that the reader ean easily eompute the Walsh speetra via the relation in Equa¬ 
tion 4.16. 
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Figure 6.3: Walsh-Hadamard Spectra of S-Box 4 BFs. 


Tables 6.23, 6.24, and 6.25 follow in the same manner as before. 


Function 


Cayley Graph Spectra (Ai < A 2 < ■ • • < A„) 


Distinct A, 


/i 

fi 


-10 -8 -4 -2 0 2 4 8 10 32 

3 3 6 17 11 11 10 1 1 1 

-10 -8 -4 -2 0 2 4 8 10 32 

1 3 6 11 11 17 10 1 3 1 


10 

10 


h 


-10 -8 -4 -2 0 2 4 8 10 32 

1 3 6 11 11 17 10 1 3 1 


10 


/4 


-10 -8 -4 -2 0 2 4 8 10 32 

3 3 10 9 11 19 6 1 1 1 


10 


Table 6.23: Cayley Graph Spectra of S-Box 4 BFs. 
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Table 6.24: Laplacian Spectra of Cayley Graphs Associated with S-Box 4 BFs. 


Crypto Property 

/i 

/2 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

22 

22 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.25: Cryptographic Properties of S-Box 4 BFs. 


Spectral Observations 

Table 6.26 depicts the relevant properties of the Cayley graphs associated with the S-Box 4 
BFs. 
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Graph Parameter 

T/r 

T/, 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

53 

53 

53 

53 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r/) 

1.7454 X 10^3 

2.26 X 10^2 

2.26 X 10^2 

1.7523 X 10^3 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.26: Properties of Cayley Graphs Assoeiated with S-Box 4 BFs. 


6.2.5 S-Box 5 

S-Box 5 is displayed in Table 6.27. 


S-Box 5 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0010 

1100 

0100 

0001 

0111 

1010 

1011 

0110 

01 

1110 

1011 

0010 

1100 

0100 

0111 

1101 

0001 

10 

0100 

0010 

0001 

1011 

1010 

1101 

0111 

1000 

11 

1011 

1000 

1100 

0111 

0001 

1110 

0010 

1101 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1000 

0101 

0011 

nil 

1101 

0000 

1110 

1001 

01 

0101 

0000 

nil 

1010 

0011 

1001 

1000 

0110 

10 

nil 

1001 

1100 

0101 

0110 

0011 

0000 

1110 

11 

0110 

nil 

0000 

1001 

1010 

0100 

0101 

0011 


Table 6.27: S-Box 5 in Binary Form. 


Table 6.28 lists the ANFs for the BFs of S-Box 5. 
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Function 

ANF 

Number of Terms 

Degree 

/i 

X2 © X 3 © © XiX2 © X1X4 © X2X4 © X3X4 © 

X1X5 © X4X5 © XlXf, © X4X6 © X1X2X3 © 

XIX3X4 ©X2X3X5 ©X1X4X5 ©X3X4X5 ©X2X3X6 © 

X2X4X(, © X3X4X6 © JC1X2X3X4 © X1X3X4XS © 

X1X2X4X6 ©X1X3X4X6 ©X2X3X5X6 ©X2X4X5X6 © 

X1X2X3X4X5 ©X1X2X4X5X6 

27 

5 

fi 

1 © X4 © X5 © X6 © X1X2 © X1X3 © X2X4 © 

X3X4 ©X1JC5 ©X1X6 ©^5.^6 ©X1JC3X4 ©JC1X3JC5 © 

X2X3X5 ©X1X4X5 ©X1X2X6 ©X1JC4X6 ©X2X4X6 © 

X3X4X6 © X2X5X6 © X3X5X6 © X1X2X3X4 © 

X1X3JC4X5 ©X1JC3X4JC6 ©X1JC3JC5X6 ©X2X3X5JC6 © 

X1X4X5X6 © X1X2X3X4X5 © X1JC2X3X4X6 © 

X1X2X4X5X6 

30 

5 

h 

Xl © X5 © X6 © X1X2 © X1X3 © X2X3 © 

X1X4 © X3X4 © X4X5 © XlX6 © X2X3X4 © 

X1X2X5 © JC1X4X5 © X2X4X5 © XlX2X^ © 

XlX4X(, © X2X4X(, © X1X5X6 © X2X5X6 © 

X4X5X6 © X1X2X3X5 © X\X2X4X3 © JC1X3X4X5 © 

X2X3X4X6 ©X1X2X5X6 ©X2X3X5X6 ©X2X4X5X6 © 

XiX 2 .r 3 X 4 JC 5 ©XiX 2 X 3 .r 5 X 6 ©XiX 2 X 4 X 5 .X :6 

30 

5 

/4 

1 © Xi © X5 © X6 © X\X2 © X2X3 © X1X4 © 

X2X4 © X3X4 © X1X5 © X3X5 © X2xe © X3X6 © 

X1X2X4 ©X1JC3X4 ©X2X3X4 ©X2X3X5 © JC1JC4X5 © 

X3X4X3 ®XiX2X(, ©X1X3X6 ®X3X4X(,®XiX3X^ © 

X2X5X6 © X3X5X6 © X4X5X6 © X1X2X3X4 © 

X1X2X4X5 © JC1JC3X4X5 ©X2X3X4X5 ©JC1X2X4JC6 © 

X1X3X4X6 © X2X3X4X6 ©X1X3X5X6 ©X2X4X5X6 © 

X1X2X3X4X5 © X1X2X3X4X6 © X1X2X3X5X6 © 

X1X2X4X5X6 

39 

5 


Table 6.28: ANF and Degree of S-Box 5 BFs. 
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Figure 6.4 displays the Walsh-Hadamard speetra of the S-Box 5 BFs obtained from R®. It 
is again assumed that the reader ean eompute the Walsh spectra via the relation in Equa¬ 
tion 4.16. 
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Figure 6.4: Walsh-Hadamard Spectra of S-Box 5 BFs. 


Tables 6.29, 6.30, and 6.31 follow in the same manner as before. 


Function 

Cayley Graph Spectra (Ai < A 2 < ■ • • < A„) 

Distinct A, 

/[ 


/ -10 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

\ 1 4 2 7 15 14 95411 1 J 

12 

/2 

/ -6 -4 -2 0 2 4 6 8 32 \ 

\ 5 9 11 10 11 7 5 5 1 y 

9 

h 

/ -8 -6 -4 -2 0 2 4 6 8 32 \ 

4 5 9 11 10 11 7 5 1 1 y 

10 

/4 

( 

^ -10 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

^1 2 3 6 6 15 16 6521 iy 

12 


Table 6.29: Cayley Graph Spectra of S-Box 5 BFs. 


119 









Function 

Laplacian Spectra (/Hi < /Hi < ■ ■ ■ < l^n) 

/i 


0 22 24 26 28 30 32 34 36 38 40 42 \ 

1^11 1 45 9 14 15 7 24 iy 

h 

/ 0 24 26 28 30 32 34 36 38 \ 

\ 1 5 5 7 11 10 11 9 5 ) 

h 

/ 0 24 26 28 30 32 34 36 38 40 \ 

Y 1 1 5 7 11 10 11 9 5 4 j 

/4 


0 22 24 26 28 30 32 34 36 38 40 42 \ 

1^11 2 5 6 16 15 6 6 3 2 1 ) 


Table 6.30: Laplacian Spectra of Cayley Graphs Associated with S-Box 5 BFs. 


Crypto Property 

/i 

/2 

/s 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

24 

24 

22 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.31: Cryptographic Properties of S-Box 5 BFs. 


Spectral Observations 

Table 6.32 depicts the relevant properties of the Cayley graphs associated with the S-Box 5 
BFs. 
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Graph Parameter 

T/. 

T/, 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

50 

54 

54 

49 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r/) 

1.7206 X 10‘^3 

2.2469 X 10*^2 

1.7337 X 10^3 

2.286 X 10^2 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.32: Properties of Cayley Graphs Assoeiated with S-Box 5 BFs. 


6.2.6 S-Box 6 

S-Box 6 is displayed in Table 6.33. 


S-Box 6 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1100 

0001 

1010 

nil 

1001 

0010 

0110 

1000 

01 

1010 

nil 

0100 

0010 

0111 

1100 

1001 

0101 

10 

1001 

1110 

nil 

0101 

0010 

1000 

1100 

0011 

11 

0100 

0011 

0010 

1100 

1001 

0101 

nil 

1010 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0000 

1101 

0011 

0100 

1110 

0111 

0101 

1011 

01 

0110 

0001 

1101 

1110 

0000 

1011 

0011 

1000 

10 

0111 

0000 

0100 

1010 

0001 

1101 

1011 

0110 

11 

1011 

1110 

0001 

0111 

0110 

0000 

1000 

1101 


Table 6.33: S-Box 6 in Binary Form. 


Table 6.34 lists the ANFs for the BFs of S-Box 6. 
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Function 

ANF 

Number of Terms 

Degree 

/i 

1 © X2 © X 3 © © X2X3 © X1X4 © X2X4 © X3X4 © 

4:1X5 ©X4X5 ©X2X6 ©X5X6 ©X1X2X3 ©X1X3X4 © 

X2X3X4 ©X1X3X5 ©X2X3X5 ©X1X4X5 ©X2X4X5 © 

X3X4X5 © X1X4X6 © X1X5XS © X1X2X3X4 © 

X2X3X4X5 © X2X3X4X6 ©X1X2X5X6 ©X2X3X5X6 © 

X1X2X3X4X5 © X1X2X3X4X6 © X1X2X3X5X6 © 

X1X2X4X5X6 

31 

5 

fi 

1 © Xi © X4 © X5 © X6 © X1X3 © X2X5 © X3X5 © 

X2Xe © xsXf, © X1X2X4 © X2X3X4 © X1X2X5 © 

X2X3X6 © X1X4X6 © X1X5X6 © X4X5X6 © 

X1X2X3X5 ©X1X3X4X5 ©X1X2X3X6 ©X1X3X4X6 © 

X2X3X4X6 ©X1X2X5X6 ©X2X3X5X6 ©X1X4X5X6 © 

X2X4X5X6 © X1X2X3X4X5 © X1X2X3X4X6 © 

X1X2X3X5X6 ©X1X2X4X5X6 

30 

5 

h 

1 © Xl © X2 © X5 © X6 © X1X3 © X2X3 © X1X4 © 

X2X4 © X3X4 © X1X5 © X3X5 © X4X5 © X5X6 © 

X1X2X3 ©X2X3X4 ©X1X2X5 ©X2X3X5 ©X1X4X5 © 

X2X4X5 ©X3X4X5 ©X1X2X6 ©X1X4X6 ©X2X5X6 © 

X1X2X3X4 ©X1X2X3X5 ©X1X2X4X5 ©X1X3X4X5 © 

X2X3X4X5 ©X1X3X4X6 ©X1X2X5X6 ©X1X3X5X6 © 

X2X3X5X6 © X1X2X3X4X5 © X1X2X3X4X6 © 

X1X2X4X5X6 

36 

5 

f4 

Xi © X5 © X6 © X1X2 © X1X3 © X2X3 © X1X4 © 

X2X4 © X3X4 © X2X5 © X3X5 © X4X6 © X1X2X3 © 

X1X3X4 ©X2X3X4 ©X1X2X5 ©X1X3X5 ©X2X3X6 © 

X2X4X6 © X3X4X6 © X3X5X6 © X1X2X3X5 © 

X1X2X3X6 ©X1X3X4X6 ©X1X3X5X6 ©X2X3X5X6 © 

X1X4X5X6 ©X1X2X3X5X6 ©X1X2X4X5X6 

29 

5 


Table 6.34: ANF and Degree of S-Box 6 BFs. 
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Figure 6.5 displays the Walsh-Hadamard speetra of the S-Box 6 BFs obtained from R®. It 
is again assumed that the reader ean eompute the Walsh spectra via the relation in Equa¬ 
tion 4.16. 
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Figure 6.5: Walsh-Hadamard Spectra of S-Box 6 BFs. 


Tables 6.35, 6.36, and 6.37 follow in the same manner as before. 



Table 6.35: Cayley Graph Spectra of S-Box 6 BFs. 
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Function 

Laplacian Spectra (/ii < / i2 < < l^n) 

/i 


0 22 24 26 28 30 32 34 36 38 42 ^ 

4 3 8 12 11 12 8 3 \ J 


fi 

/ 0 22 24 26 28 30 32 34 36 38 40 42 \ 

y 1 1 4 2 8 13 13 13 4 2 2 \ ) 

h 


0 22 24 26 28 30 32 34 36 38 42 ^ 

1 2 2 2 10 12 13 12 6 2 2 J 


f4 


0 24 26 28 30 32 34 36 38 40 42 ^ 

{1 2 3 7 9 14 15 5 3 3 2 J 



Table 6.36: Laplacian Spectra of Cayley Graphs Associated with S-Box 6 BFs. 


Crypto Property 

/i 

/2 

/s 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

22 

22 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.37: Cryptographic Properties of S-Box 6 BFs. 


Spectral Observations 

Table 6.38 depicts the relevant properties of the Cayley graphs associated with the S-Box 6 
BFs. 
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Graph Parameter 

T/: 

l-H 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

53 

51 

51 

50 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r j) 

2.2498 X 10*^2 

2.2657 X 10^2 

2.2628 X 10^2 

1.7426 X 1 0*^3 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.38: Properties of Cayley Graphs Assoeiated with S-Box 6 BFs. 


6.2.7 S-Box 7 

S-Box 7 is displayed in Table 6.39. 


S-Box 7 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0100 

1011 

0010 

1110 

nil 

0000 

1000 

1101 

01 

1101 

0000 

1011 

0111 

0100 

1001 

0001 

1010 

10 

0001 

0100 

1011 

1101 

1100 

0011 

0111 

1110 

11 

0110 

1011 

1101 

1000 

0001 

0100 

1010 

0111 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1100 

1001 

0111 

0101 

1010 

0110 

0001 

01 

1110 

0011 

0101 

1100 

0010 

nil 

1000 

0110 

10 

1010 

nil 

0110 

1000 

0000 

0101 

1001 

0010 

11 

1001 

0101 

0000 

nil 

1110 

0010 

0011 

1100 


Table 6.39: S-Box 7 in Binary Form. 


Table 6.40 lists the ANFs for the BFs of S-Box 7. 
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Function 

ANF 

Number of Terms 

Degree 

/i 

Xi © X3 © X5 © X1X2 © X1X4 © X2X4. © X1JC5 © 

XlX(, © X2X(, © X4X6 © X5X6 © X2X3X4 © 

X1X2XS ©X3X4X5 ©X1X2X6 ©X2X4X6 ©X2X5X6 © 

X4X5X6 © X1X2X4X5 © JC1X3JC4X5 © X2X3X4X5 © 

X2X3X4X6 ©X1X2X5X6 ©X1X4X5X6 ©X2X4X5X6 © 

X1X2X3X4X6 ©X1X2X4X5X6 

27 

5 

fi 

1 © X2 © X3 © X5 © X1X2 © X2X3 © X1X4 © X2X4 © 

X\X5 ©X2X5 ©X2X6 ©X4X6 ©X1JC2X3 ©JC2X4X5 © 

X2X4X6 © X1X5X6 © X1X2X3X4 © X1X3X4X3 © 

X2X3X4X5 ©X1X2X4X6 ©X1X3X4X6 ©X2X4X5X6 © 

X1X2X3X4X5 ©X1JC2X4X5X6 

24 

5 

h 

X4 © X5 © © X1JC2 © X1X3 © JC1X4 © X2X3 © 

X3X5 © XlXg © X2X3X4 © X1X2X5 © X1X3JC5 © 

XlX2X(, ©X1X4X6 ©X2X4X6 ©X3X4X6 ©X1X5X6 © 

X2X5X6 © X3X5X6 © X1X2X4X5 © X1X3X4X5 © 

X1X3X4X6 ©X2X3X4X6 ©X1X2X5X6 ©X1X3X5X6 © 

X1X4X5X6 © X1X2X3X4X6 ©X1X2X4X5X6 

28 

5 

/4 

Xl © X2 © X3 © X4 © © X2X3 © X1X4 © X3X4 © 

X1X5 © X2X5 © X3X5 © X1X2X3 © X1X2X4 © 

X1X3X4 © X2X3X4 © X\X2X3 © X1X3X5 © 

X2X3X3 © X2X4X6 © X3X4X6 © X3X5X6 © 

X1X2X3X4 ©X1X2X3X5 ©X1X2X3X6 ©X1X2X4X6 © 

X1X3X4X6 ©X1X3X5X6 ©X2X3X5X6 ©X1X4X5X6 © 

X1X2X3X4X6 ©X1X2X3X5X6 ©X1X2X4X5X6 

32 

5 


Table 6.40: ANF and Degree of S-Box 7 BFs. 


Figure 6.6 displays the Walsh-Hadamard speetra of the S-Box 7 BFs obtained from R®. It 
is again assumed that the reader can compute the Walsh spectra via the relation in Equa¬ 
tion 4.16. 
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Figure 6.6: Walsh-Hadamard Spectra of S-Box 7 BFs. 


Tables 6.41, 6.42, and 6.43 follow in the same manner as before. 


Function 

Cayley Graph Spectra (Ai < A2 < < A„) 

Distinct A, 

/i 


( -10 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

[ \ 5 1 6 16 13 10 6 3 1 1 1 y 

12 

h 


{ -10 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

[ \ 2 2 4 10 19 12 4522 iy 

12 

h 

/ -8 -6 -4 -2 0 2 4 6 8 32 \ 

\ 3 1 9 7 14 13 352iy 

10 

/4 

/ -8 -6 -4 -2 0 2 4 6 8 10 32 \ 

^5 2 7 17 12 95321 \ j 

11 


Table 6.41: Cayley Graph Spectra of S-Box 7 BFs. 


Function 

Laplacian Spectra (/ii < /i 2 < < /in) 

/i 


0 22 24 26 28 30 32 34 36 38 40 42 \ 

{11 1 3 6 10 13 16 6 1 5 1 y 

fi 


0 22 24 26 28 30 32 34 36 38 40 42 \ 

{1 2 2 5 4 12 19 10 4 2 2 ly 

h 

/ 0 24 26 28 30 32 34 36 38 40 \ 

\ 1 2 5 3 13 14 7 9 7 3 J 

U 

/ 0 22 24 26 28 30 32 34 36 38 40 \ 

yil 2 3 5 9 12 17 7 2 5/ 


Table 6.42: Laplacian Spectra of Cayley Graphs Associated with S-Box 7 BFs. 
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Crypto Property 

/i 

/2 

/3 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

24 

22 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.43: Cryptographic Properties of S-Box 7 BFs. 


Spectral Observations 

Table 6.44 depicts the relevant properties of the Cayley graphs associated with the S-Box 7 
BFs. 


Graph Parameter 

T/. 


r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; fc(r f) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

Rank(A^) 

51 

45 

50 

52 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r f) 

1.727 X 10^3 

2.2533 X 10^2 

1.7258 X 10*^3 

1.7076 X 10‘^3 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.44: Properties of Cayley Graphs Associated with S-Box 7 BFs. 


6.2.8 S-Box 8 

S-Box 8 is displayed in Table 6.45. 
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S-Box 8 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1101 

0010 

1000 

0100 

0110 

nil 

1011 

0001 

01 

0001 

nil 

1101 

1000 

1010 

0011 

0111 

0100 

10 

0111 

1011 

0100 

0001 

1001 

1100 

1110 

0010 

11 

0010 

0001 

1110 

0111 

0100 

1010 

1000 

1101 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1010 

1001 

0011 

1110 

0101 

0000 

1100 

0111 

01 

1100 

0101 

0110 

1011 

0000 

1110 

1001 

0010 

10 

0000 

0110 

1010 

1101 

nil 

0011 

0101 

1000 

11 

nil 

1100 

1001 

0000 

0011 

0101 

0110 

1011 


Table 6.45: S-Box 8 in Binary Form. 
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Table 6.46 lists the ANFs for the BFs of S-Box 8. 


Function 

ANF 

Number of Terms 

Degree 

/i 

1 ©X2 ©X3 ©X5 ©XlX2 ©X1X4 ©X1X5 ©X4X5 © 

XlXg ©X2X6 ©X3X6 ©X4X6 ©X2X3X4 ©X1X2X5 © 

X1X3X5 ©X2X3X5 ©X1X4X5 ©X2X4X5 ©X1X2X6 © 

X2X3X6 ©X2X4X6 ©X3X4X6 ©X1X5X6 ©X4X5X6 © 

X1X2X4X5 ©X2X3X4X6 ©X1X2X5X6 ©X1X4X5X6 © 

X2X4X5X6 © X1X2X3X4X6 © X1X2X4X5X6 

31 

5 

h 

X3 © X4 © X5 © Xg © X1X2 © X2X4 © X3X4 © 

X1X5 © X2X6 © X1X2X3 © X1X3X4 © X1X2X5 © 

X1X3X5 © X2X3X5 © X1X2X6 © X1X3X6 © 

X2X3X6 © X1X4X6 © X2X4X6 © X3X4X6 © 

X1X5X6 © X2X5X6 © X1X2X3X4 © X1X2X3X5 © 

X1X2X4X5 ©X1X2X3X6 ©X1X2X5X6 ©X2X4X5X6 © 

X1X2X3X4X5 ©X1X2X4X5X6 

30 

5 

h 

Xl © X2 © X3 © X5 © X1X2 © X2X3 © X2X4 © 

X3X4 © X3X5 © XiXg © X2X6 © X3X6 © X4X6 © 

X1X3X4 © X2X3X4 © X1X2X5 © X1X3X5 © 

X2X3X5 ©X1X4X5 ©X1X2X6 ©X1X3X6 ©X1X4X6 © 

X2X4X6 © X3X4X6 © X1X2X4X5 © X1X3X4X6 © 

X2X3X4X6 ©X1X2X5X6 ©X2X3X5X6 ©X1X4X5X6 © 

X1X2X3X4X6 ©X1X2X4X5X6 

32 

5 

/4 

X2 © X4 © Xg © X1X2 © X2X3 © X2X4 © X3X4 © 

X1X5 © X2X5 © X3X5 © X2Xg © X4Xg © XgXg © 

X1X3X4 ©X2X3X5 ©XlX2Xg ©XlX4Xg ©XlXgXg © 

X3X5Xg © X1X2X3X5 © XiX3X5Xg © X2X3X5Xg © 

X2X4X5Xg ©X1X2X3X4X5 ©XlX2X3X5Xg 

25 

5 


Table 6.46: ANF and Degree of S-Box 8 BFs. 


Figure 6.7 displays the Walsh-Hadamard spectra of the S-Box 8 BFs obtained from R®. It 
is again assumed that the reader can compute the Walsh spectra via the relation in Equa¬ 
tion 4.16. 
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0 

0 

0 

-4 

-4 

-4 

-4 

-16 

0 

[57] 
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12 

-4 

-16 

16 

8 
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> wh(s8r2) 













[1] 
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-4 
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0 

0 
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20 
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[29] 

-4 -4 

4 
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0 
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[57] 
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0 

[57] 
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[57] 
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Figure 6.7: Walsh-Hadamard Spectra of S-Box 8 BFs. 


Tables 6.47, 6.48, and 6.49 follow in the same manner as before. 


Function 

Cayley Graph Spectra (A] < A2 < < A„) 

Distinct A, 

fi 

/ -8 -6 -4 -2 0 2 4 6 8 32 \ 

\ 2 7 3 5 16 17 5351/ 

10 

fi 


f -10 -8 -6 -4 -2 0 2 4 6 8 32 \ 

[ 2 4 2 1 10 14 14 5 4 1 1 / 

11 

h 

/ -10 -8 -6 -4 -2 0 2 4 6 8 10 32 \ 
\^1 4 4 3 17 14 79211 1/ 

12 

h 


( -10 -8 -6 -4 -2 0 2 4 6 8 32 \ 

{ \ 3 5 6 13 13 11 6 2 3 1 / 

11 


Table 6.47: Cayley Graph Spectra of S-Box 8 BFs. 


Function 

Laplacian Spectra (jJ-i < IJ .2 < ■ ■ ■ < l^n) 

/] 

/ 0 24 26 28 30 32 34 36 38 40 \ 

\l 5 3 5 17 16 5 3 7 2 / 

fi 


^ 0 24 26 28 30 32 34 36 38 40 42 \ 

^ 1 1 4 5 14 14 10 7 2 4 2 / 

h 

/ 0 22 24 26 28 30 32 34 36 38 40 42 \ 

1^11 1 297 14 17 344 1 / 

U 


^ 0 24 26 28 30 32 34 36 38 40 42 \ 

^ 1 3 2 6 11 13 13 6 5 3 1 / 


Table 6.48: Laplacian Spectra of Cayley Graphs Associated with S-Box 8 BFs. 
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Crypto Property 

/i 

/2 

/3 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

24 

22 

22 

22 

Algebraic Immunity 

3 

3 

3 

3 

Correlation Immunity Order 

0 

0 

0 

0 

Resiliency Order 

0 

0 

0 

0 


Table 6.49: Cryptographic Properties of S-Box 8 BFs. 


Spectral Observations 

Table 6.50 depicts the relevant properties of the Cayley graphs associated with the S-Box 8 
BFs. 


Graph Parameter 

T/: 

T/, 

r/3 

r/4 

Regularity; deg 

Yes; 32 

Yes; 32 

Yes; 32 

Yes; 32 

Connected; ^(F/) 

Yes; 1 

Yes; 1 

Yes; 1 

Yes; 1 

Bipartite 

No 

No 

No 

No 

RankfAy;) 

48 

50 

50 

51 

Diameter 

2 

2 

2 

2 

Spanning Trees; T(r j) 

2.2801 X 10^2 

1.0980 X 10*^° 

1.7276 X 10*^3 

1.7299 X 10*^3 

Clique Number 

8 

8 

8 

8 

Independence Number 

8 

8 

8 

8 

Chromatic Number 

8 

8 

8 

8 


Table 6.50: Properties of Cayley Graphs Associated with S-Box 8 BFs. 


6.3 Relations 

The following observed relations are specific to the DBS S-Box BFs and their associated 
Cayley graphs. These should not be universalized to all BFs used in similar substitution 
steps within a cryptosystem. 

1. The constant term 1 appears in the ANF of a BF if and only if the associated Cayley 
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graph has a loop at every vertex. 

2. The funetions within an S-Box with the smallest number of terms in their ANF also 
have the smallest number of degree 5 terms. 

3. Within the same S-Box, if multiple Cayley graphs have the same set of eigenvalues, 
then their corresponding BFs have the same nonlinearity. Furthermore, this nonlin¬ 
earity is 22. 

4. The function(s) with the highest nonlinearity also have the smallest number of dis¬ 
tinct eigenvalues when compared to other functions within the same S-Box; similarly, 
the function(s) with the lowest nonlinearity also have the largest number of distinct 
eigenvalues. 

5. Of the 32 total functions, seven achieve the maximum nonlinearity of 24. These 
seven functions as graphs do not contain ±10 as eigenvalues. 

6. Six of the 32 total functions achieve a nonlinearity of 22. These functions as graphs 
do not have ±12 as eigenvalues. Furthermore, these functions have at most 31 terms 
in their ANF. The functions with nonlinearity 22 also have the largest number of 
distinct eigenvalues when compared to other functions within the same S-Box. 

7. A function achieves the minimum nonlinearity of 20 if and only if A/ G {±12}. 

8. The Cayley graph with the largest multiplicity of 0 as an eigenvalue in each S-Box 
also has an adjacency matrix A with the smallest rank. Furthermore, if two or more 
Cayley graphs within the same S-Box have the same multiplicity of 0 as an eigen¬ 
value, then their corresponding adjacency matrices have the same rank. 

9. There is no observed pattern in the number of spanning trees in the Cayley graphs. 
This is somewhat interesting since all of the graphs are 32-regular, and have the same 
diameter, chromatic number, independence number, and clique number. 

10. S-Box 2 is the only box to use a BF with algebraic degree four. Surprisingly, this 
function achieves the maximum nonlinearity of 24 and its Cayley graph has the 
smallest number of distinct eigenvalues across all S-Boxes. 

11. Beginning with S-Box 3, at least two functions within each box have the same set of 
eigenvalues. 

12. S-Box 4 is rather interesting with regards to the Cayley spectrum. Heilman and Davio 
noted the redundancy in this S-Box, sparking many to believe that this box was the 
trap door left behind by the designers. All four BFs in the fourth S-Box have the 
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same nonlinearity, the same set of Cayley eigenvalues, and their adjacency matrices 
all have the same rank. Granted, the ANFs are different, but the second and third 
functions have Cayley graphs with the exact same spectra. 

13. The set of possible nonlinearity values {20,22,24} is the same as the set of spectral 
gap^^values. Furthermore, for S-Boxes 4-7, these two values are equal. 

6.4 Expanders 

Recall in Subsection 5.3.2 we introduced the Cheeger constant with respect to cuts in a 
graph. Another application of connectivity deals with the expander graph. The expander 
graph is a regular graph (typically of small degree) such that the number of neighbors of 
any subset of the vertex set containing at most half of the total nodes is at least a constant 
factor of its size [85]. More formally, an e-expander is a regular graph G={V,E) such that 
for every set 5 C V with |5| < the number of nodes in V\S adjacent to some jc G 5 is 
at least e|5|. If the spectral gap for a r-regular graph is at least 2er, then the graph is an 
e-expander [85]. Also [104], an r-regular graph is an e-expander if the Cheeger constant, 
ho is at least e, i.e., Hq > e. Hence, the term expansion is closely related with cuts (vertex, 
edge, spectral, etc.). Since expander graphs exhibit strong connectivity properties, they are 
often sought out in many computer based algorithms. 

Expanders have wide applications, especially in computer science and the design of com¬ 
munication networks. Expander graphs were first defined in the 1970s [105] by Eeonid 
Bassalygo and Michael Pinsker. It is generally difficult to construct an expander graph 
from scratch, since they are simultaneously sparse and highly connected. Thus, much of 
the work dealing with these graphs is theoretical in nature. However, random graphs often 
make good expanders, and we have multiple construction methods to do this. Expander 
graphs also have application in error correcting codes as well as pseudorandom numbers. 

Construction of r-regular expanders implies control of the spectral gap, denoted from now 
on as A = r — A„ i. Cheeger and Peter Buser bounded the Cheeger constant in terms of the 
spectral gap as 

^ < fie < s/lrX. 

^^The spectral gap is defined to be the difference between the largest and second largest eigenvalue, i.e., 
Xn — Xn-i- See Section 6.4. 
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The question remains how large the spectral gap can be. This question obviously relies 
on the value for and by the bounds on the Cheeger constant we see that a large 
spectral gap implies high expansion. Alon and Ravi Boppana showed that this gap could 
be expressed by bounding the second largest eigenvalue. In particular, 

K-l > 2Vr- 1 -o„(l), 

where the term Om( 1) tends to zero as n becomes large [105]. This term is simplified from a 
fractional ratio of a constant and the diameter of a graph. The interesting case occurs when 
this inequality is not satisfied. 

Alexander Lubotzky et al. [89] coined the term Ramanujan graph for an r-regular graph in 
which the largest eigenvalue other than = r is less than or equal to the Alon-Boppana 
bound. Ramanujan graphs are named after Indian mathematician Srinivasa Ramanujan, 
and because they achieve close to the largest spectral gap possible, Ramanujan graphs 
give good explicit constructions for expanders; they are often considered to be the most 
well-connected among regular graphs. Precisely, let G be an r-regular graph and let A(G) 

be max |A,j. Then G is Ramanujan if A(G) < 2y/r— 1. Interestingly, Lubotzky et al. 

m<r 

constructed their Ramanujan graphs from Cayley graphs; the Petersen graph is an example 
of a Ramanujan graph. As a consequence, most constructions of Ramanujan graphs are 
algebraic in nature. Ramanujan graphs have an interesting niche in coding theory; certain 
codes such as Robert Gallager’s Low Density Parity Check Codes can be constructed using 
Ramanujan graphs [106]. Since these graphs are good examples of connectivity, family 
of Ramanujan graphs can yield o. family of expanders. 

While the literature varies about loop inclusion. Table 6.51 includes the DBS Boolean Cay¬ 
ley graphs that satisfy the Ramanujan property, namely X < 2^32221 ^ 11.13552873. 
If loops are included, then 26 out of the 32 Cayley graphs are Ramanujan. A star (*) 
indicates that the corresponding Cayley graph has loops. Given the large number of Ra¬ 
manujan graphs in Table 6.51 out of the 32 possible, perhaps this yields important design 
considerations about S-Box construction using BFs. Interestingly, the six graphs that are 
not Ramanujan are also the only ones in which the associated BFs achieve the smallest 
nonlinearity of 20. 
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S-Box 

Ramanujan 


/; 

^2 

/2,/3,/4* 

53 

/r,/3 

54 

r /**/**/* 

Jl’ 72 ’ /3 ’ /4 

^5 

/l’ 72 ’ /3’ 74 


r 

71 ’ 72’73 ’ 74 

^7 

/l, /|. /3, /4 

^8 

/r, /2, /3, /4 


Table 6.51: The DBS Funetions with Ramanujan Cayley Graphs. 


6.5 Distance to Linear Functions 

An interesting applieation of nonlinearity involves finding the nearest linear or affine fune- 
tion to a BF. Reeall the WHT given by 

F(m) = IT(/)(«) = £ (-i)/W®<“-*>. 

This equation is also equal to the number of Os minus the number of Is in the function 
f®iu, where is the linear function ^^(v). Thus, IT(/)(«) = 2" — 2wt(/©f„) = 2" — 
2d{f, iu)- It follows that for a function / and a fixed linear function f„(v), we have 

d{f,£u) = \{2"-W{f){u)). (6.1) 

Bquation 6. 1 implies that the nearest affine function iu,cn) (v) = ao © (m, v) , ao G F 2 , to / (in 
terms of Hamming distance) is the function where |lT(/)(ii)| is the largest [39]. We give 
an example of how to find the nearest affine function to the first S-Box BF, and then the 
remaining functions are merely listed. 

First recall that the nonlinearity of /i in S-Box 1 is 20, i.e., — 20. The largest 

Walsh-Hadamard (absolute) value of this function is 24, which occurs for the input vec- 
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tor 0543 = 101011. To find the nearest affine function, we compute 


4,floW =«0 ©(m,v) 

443 ,i(v) = 1 ©(101011, v) 

= l©(101011)-(.r6,-^5,-^4,-^3,-^2,-^l) 

= 1 ®Xi ©.r2©-^4©-^6- 

As a check, we can see that i) = ^(2^ — 24) = 20, which matches the nonlinearity 

of /i. Thus, we need to change 20 bits in /i in order to arrive at the affine function 1 © jci © 
X 2 (Bx 4 (Bx(,. It should also be noted that some of the DBS functions have multiple vectors 
which yield the largest WHT value, e.g., /4 in S-Box 1 has eight vectors that produce ±16. 
For these such functions, we only list one possible affine function. Table 6.52 lists the 
nearest affine functions to the DBS S-Box functions. 
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S-Box 

Function 


a 

Nearest Affine Function 

1 

h 

20 

54 

X2©X3 ©X5 ©Xg 

1 

h 

20 

41 

Xl ©X 4 ©X 6 

1 

h 

24 

53 

1 ©Xl ©X3 ©X5 ©Xg 

2 

/l 

20 

47 

1 ©Xl ©X2 ©X3 ©X4 ©Xg 

2 

h 

24 

15 

Xl ©X2©X3 ©X 4 

2 

h 

22 

21 

Xl ©X3 ©Xg 

2 

h 

24 

61 

1 ©Xl ©X3 ©X4 ©Xg ©Xg 

3 

/i 

22 

49 

1 ©Xl ©Xg ©Xg 

3 

h 

20 

54 

1 ©X2©X3 ©Xg ©Xg 

3 

h 

22 

29 

l©Xl©X 3 ©X 4 ©Xg 

3 

h 

20 

28 

X3 ©X 4 ©Xg 

4 

/i 

22 

14 

X2©X3 ©X 4 

4 

h 

22 

30 

l©X 2 ©X 3 ©X 4 ©Xg 

4 

h 

22 

14 

1 ©X 2 ©X 3 ©X 4 

4 

A 

22 

13 

Xl ©X3 ©X 4 

5 

/i 

22 

20 

X3 ©Xg 

5 

h 

24 

46 

l©X 2 ©X 3 ©X 4 ©Xg 

5 

h 

24 

42 

X2©X4©Xg 

5 

A 

22 

52 

1 ©X3 ©Xg ©Xg 

6 

A 

22 

31 

1 ©Xl ©X 2 ©X3 ©X 4 ©Xg 

6 

A 

22 

29 

l©Xl©X 3 ©X 4 ©Xg 

6 

A 

22 

55 

1 ©Xl ©X 2 ©X3 ©Xg ©Xg 

6 

A 

22 

41 

Xl ©X4©Xg 

7 

A 

22 

46 

X2©X3 ©X 4 ©Xg 

7 

A 

22 

20 

1 ©X3 ©Xg 

7 

A 

24 

40 

X4©Xg 

7 

A 

22 

62 

X2©X3©X4©Xg©Xg 

8 

A 

24 

43 

l©Xl©X2©X4©Xg 

8 

A 

22 

12 

X 3 ©X 4 

8 

A 

22 

56 

X4©Xg ©Xg 

8 

A 

22 

50 

X2©Xg©Xg 


Table 6.52: The Nearest Affine Functions to the DBS S-Box BFs. 
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CHAPTER 7: 

Extensions on DES Substitution Boxes 


Recall that Adams and Tavares [50] explained that good BFs used in S-Boxes need to 
satisfy the SAC. Granted, the SAC did not exist at the time that DES was introduced, and 
Webster and Tavares [58] even demonstrated that the DES S-Boxes do not satisfy the SAC. 
In this chapter, we analyze one of the design criteria of the DES S-Boxes and apply it to 
the coordinate vectorial BEs. 


7.1 Methods 

The specific design criteria we examine is listed by Coppersmith [21] as property (S-5), 
i.e., by complementing the middle two input bits, we should see the output bits differing 
in at least two positions. Mathematically, the DES S-Boxes are required to adhere to the 
following: f{x) and /(jc© 001100) differ in at least two bits. This criterion was based on 
the S-Box as a function, i.e., / : —)■ F^. We cannot specifically examine this property on 
the coordinate BFs because our outputs are single bits rather than strings of four bits. Thus, 
we perform a PC(2) check on the coordinate functions using Coppersmith’s vector 001100. 
We aim to answer the following questions in this chapter: 

1. Do the DES S-Box coordinate functions satisfy the PC of degree 2? 

2. Do the DES S-Box coordinate functions satisfy the PC of degree 1, i.e., SAC? 

Recall that for a function to satisfy the PC of degree k = 2, we need to check all possible 
two-bit changes in the inputs and verify that the output changes in exactly one half of the 
total outputs. Also recall that this can be done by either counting the number of positions 
where f{x) and /(jc © a) differ, or by verifying that the weight of /(jc) © /(jc © a) = 2""/ 
If wt{ f{x) © /(jc © OOI IOO) ) / 32 for any function /■ in the DES S-Boxes, I < / < 32, then 
we can conclude that /• does not satisfy PC(2). 

We already know that the DES S-Boxes do not satisfy the SAC, but this does not imply that 
the row functions do not satisfy this property. We aim to shed light on this concept in this 
chapter. 
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7.2 Results on Propagation Criteria of Degree 2 

Tables 7.1, 7.2, 7.3, and 7.4 display the results of the PC(2) eheek for the veetor 001100. 
If a row is highlighted in green, then it satisfies the cheek for this vector; all others are 
eliminated from the check. 


S-Box 2 

fi 

wt{f{x) © /(jc©001100)) 

h 

24 

fi 

24 

fs 

32 

/4 

32 


S-Box 1 

fi 

wt{f{x)® fix ®oonoo)) 

h 

36 

fi 

32 

h 

36 

fA 

32 


Table 7.1: Results of PC(2) Check on S-Boxes 1 and 2. 


S-Box 4 

fi 

vvt(/(jc)©/(jc©001100)) 

fi 

28 

fi 

28 

h 

28 

fA 

28 


S-Box 3 

f 

wt(/(jc)©/(jc©001100)) 

fi 

28 

fi 

32 

h 

24 

fA 

32 


Table 7.2: Results of PC(2) Check on S-Boxes 3 and 4. 


S-Box 5 

fi 

wt(/(;c)©/(jc©001100)) 

fi 

28 

fi 

36 

h 

32 

fA 

36 


S-Box 6 

fi 

wt(/(jc)©/(jc© 001100)) 

fi 

28 

fi 

24 

h 

28 

fA 

32 


Table 7.3: Results of PC(2) Check on S-Boxes 5 and 6. 
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S-Box 7 


wt{f{x)® fix ®oonoo)) 

fi 

24 

fi 

32 

h 

28 

/4 

32 


S-Box 8 

fi 

wtifix)®fix®oonoo)) 

A 

28 

fi 

32 

h 

40 

/4 

36 


Table 7.4: Results of PC(2) Cheek on S-Boxes 7 and 8. 


For these 11 funetions that are still eligible to satisfy PC(2), eight are further eliminated 
with a eheek on the veetor a = \ 10000. The final three are also eliminated with eheeks 
on veetors b = 101000 and c = 100100. Therefore, we reaeh the following eonelusion 
eoneeming PC. 

Result 1: The 32 eoordinate BFs eomprising the DBS S-Boxes do not satisfy PC(2). 


7.3 Results on Strict Avalanche Criteria 

In this seetion, we display the results of the SAC eheek on the DES S-Box eoordinate 
funetions. Table 7.5 depiets the eheek of SAC using the veetor a = 100000. 
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S-Boxes 5-8 

fi 

wt{f{x)® fix® lOOOOO)) 


36 

Ss 

48 

44 


48 


44 

Se 

40 

40 


48 


44 

Si 

36 

48 


48 


44 

Ss 

40 

44 


40 


S-Boxes 1-4 

f, 

wtifix) © fix® 100000)) 


48 

Si 

44 

48 


40 


36 

Si 

44 

44 


40 


44 

S3 

52 

40 


36 


48 

Sa 

36 

48 


36 


Table 7.5: Results of SAC Cheek on DBS S-Boxes. 


Note that there are no funetions in Table 7.5 with a eorresponding weight of 32 in the 
seeond eolumn. Sinee none of these funetions have this property, there is no need to eheek 
any other veetor of weight one in Fj. Therefore, we reaeh the following eonelusion: 

Result 2: The 32 eoordinate BFs eomprising the DBS S-Boxes do not satisfy PC(1), i.e., 
SAC. Burthermore, we are justified in stating the implieation from Webster and 
Tavares (only for DBS). If the S-Box funetion / : F^ does not satisfy the 

SAC, then its eoordinate BBs do not satisfy the SAC either. 
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CHAPTER 8: 
Conclusion 


In this chapter, we summarize the findings of this thesis and present some aspects requiring 
further research. 


8.1 Summary of Results 

The goal of this thesis was to analyze DBS in a new light. We used techniques from 
spectral graph theory to make statements about the Cayley graphs associated with the DBS 
BBs. Several loose connections were also made between the cryptographic properties of 
these BBs and the Cayley graph spectra. 

The Cayley graphs of these BBs all seem to share many of the same graph properties, par¬ 
ticularly in diameter, clique number, independence number, and chromatic number. Since 
all 32 graphs are 32-regular, however, this is not so hard to believe. Many of the crypto¬ 
graphic properties of the BBs are also the same, such as degree, balance, weight, algebraic 
immunity, correlation immunity, and resiliency. The nonlinearity of the BBs is the primary 
property of variance, and it seems to be related to the multiplicity of the graph eigenvalues 
(in the case of DBS at least). 

We also found a new characterization of the DBS Cayley graphs as Ramanujan graphs. 
These are graphs with special properties in regards to expansion; expansion relies on the 
size of the spectral gap. Also, we confirmed that the DBS BBs do not satisfy the SAC nor 
the PC(2). 

8.2 Areas for Future Work 

There are other areas that could be extended from the work of this thesis. These areas are 
summarized in the following list. 

1. DBS Related 

• What can we learn from other matrices associated with the DBS BBs, e.g., nor¬ 
malized Baplacian, signless Baplacian, incidence, etc.? 
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• What can be investigated with the energy spectrum of the BFs, i.e., the square of 
the WT? Is there a relation between the energy spectrum and the cryptographic 
properties? 

• Can the inverse eigenvalue problem be applied here, i.e., can we deduce infor¬ 
mation about the graph spectra from a family of matrices producing this graph? 

• Can we find patterns in the number of random walks in the Cayley graphs? 

• What is the energy of the Cayley graphs, i.e., the sum of the adjacency matrix 
eigenvalues in absolute value, and can we determine a relation with the proper¬ 
ties of the BFs? Can we determine a formula for the energy of the Cayley graph 
for a BF on n variables? 

2. Non-DES Related 

• Apply spectral graph theoretic techniques to other block ciphers such as AES, 
or even the combiner functions used in stream ciphers. 

• Investigate relations between Ramanujan graphs and BEs used in cryptosys¬ 
tems. 

• What more can be done with the Eaplacian spectra? If we bound the Eaplacian 
eigenvalues by known relations, how are the associated BEs affected? 

• Can we determine a general formulaic relationship between the cryptographic 
properties of any BE and the spectrum of its associated Cayley graph? 

• Is there a relationship between the spectral gap of a Cayley graph and the non¬ 
linearity of its associated BE? 
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APPENDIX: Thesis Code 


This appendix displays some of the code used from Maple to help compute some of the 
properties examined in this thesis. Potential users of this code should validate its execution 
before implementation. 


A.l Adjacency Matrix Coding 


> restart; 

Build list of 2~6 input vectors as list of sequences 

> a := [seq(ListTools[Reverse]( convert(i+64,base,2)[1..-2]), i=0..63)]; 
Confirm list has 2~6 elements 

> nops(a); 

Test extraction from list 

> a[12] ; 

> a[32] ; 

Test mod 2 addition on elements of a 

> I + II mod 2; 

Assign truth table outputs to new sequence list; change as needed 

> b := [1,1,1,1,1,1,0,0,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,1,1,1, 
0,1,0,1,1,0,1,1,0,0,1,1,1,1,1,0,1,0,1,0,0,0,0,0,0,1,1,0,1,1,0,1]; 

Confirm list has 2~6 elements 

> nops(b); 

Test to extract i-th item from list 

> a[64] ;a[4] ;b[2] ;b[4] ; 

Create function/mapping from set a to set b 

> for i from 1 to 64 do f(a[i]) := b[i]; od; 

Test the function 

> f(a[2]);f(a[4]); 

Test bit operations 

> a [12] + a [32] mod 2; 

All possible XOR elements in set a 

> for i from 1 to 63 do a[l] + a[l+i] mod 2; 
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fC’/o); od; printf("break here"); 

for i from 1 to 62 do a[2] + a[2+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 61 do a[3] + a[3+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 60 do a[4] + a[4+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 59 do a[5] + a[5+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 58 do a[6] + a[6+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 57 do a[7] + a[7+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 56 do a [8] + a[8+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 55 do a[9] + a[9+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 54 do a [10] + a[10+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 53 do a[11] + a[ll+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 52 do a [12] + a[12+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 51 do a [13] + a[13+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 50 do a [14] + a[14+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 49 do a [15] + a[15+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 48 do a [16] + a[16+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 47 do a [17] + a[17+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 46 do a [18] + a[18+i] mod 2; 
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fC’/o); od; printf("break here"); 

for i from 1 to 45 do a [19] + a[19+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 44 do a [20] + a[20+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 43 do a [21] + a[21+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 42 do a [22] + a[22+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 41 do a [23] + a[23+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 40 do a [24] + a[24+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 39 do a [25] + a[25+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 38 do a [26] + a[26+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 37 do a [27] + a[27+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 36 do a [28] + a[28+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 35 do a [29] + a[29+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 34 do a [30] + a[30+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 33 do a [31] + a[31+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 32 do a [32] + a[32+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 31 do a [33] + a[33+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 30 do a [34] + a[34+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 29 do a [35] + a[35+i] mod 2; 
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fC’/o); od; printf("break here"); 

for i from 1 to 28 do a [36] + a[36+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 27 do a [37] + a[37+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 26 do a [38] + a[38+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 25 do a [39] + a[39+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 24 do a [40] + a[40+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 23 do a [41] + a[41+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 22 do a [42] + a[42+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 21 do a [43] + a[43+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 20 do a [44] + a[44+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 19 do a [45] + a[45+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 18 do a [46] + a[46+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 17 do a [47] + a[47+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 16 do a [48] + a[48+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 15 do a [49] + a[49+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 14 do a [50] + a[50+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 13 do a [51] + a[51+i] mod 2; 

f(yo); od; printf("break here"); 

for i from 1 to 12 do a [52] + a[52+i] mod 2; 
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fC’/o); od; printf("break here"); 

for i from 1 to 11 do a [53] + a[53+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 10 do a [54] + a[54+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 9 do a [55] + a[55+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 8 do a [56] + a[56+i] mod 2; 

fC’/o); od; printf("break here"); 

for i from 1 to 7 do a [57] + a[57+i] mod 2; 

fCy,); od; printf("break here"); 

for i from 1 to 6 do a [58] + a[58+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 5 do a [59] + a[59+i] mod 2; 

fC’/o); od; printf ("break here"); 

for i from 1 to 4 do a [60] + a[60+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 3 do a [61] + a[61+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 2 do a [62] + a[62+i] mod 2; 

f(yo); od; printf ("break here"); 

for i from 1 to 1 do a [63] + a[63+i] mod 2; 

f(yo); od; printf ("break here"); 


A.2 PC Check Coding 

> restart; 

> a ;= [seq(ListTools[Reverse]( convert(i+64,base,2)[1..-2]), i=0..63)]; 


Change as needed 

> b := [0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1,0, 
1 ,1,1,1,1,1,1,0,0,1,0,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,1,0,1,0,1,11; 


Confirm 2~6 entries in each list 

> nops(a);nops(b); 

Add vector 001100 to every element in a mod 2; 
evaluate resulting sum in function list 

> for i from 1 to 64 do a[i] + [0,0,1,1,0,01 mod 2; f(7o); od; 
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Compare original function value to PC check vector value 

> for i from 1 to 64 do myvec[i] ;= f(a[i]) + f(a[i]+[0,0,1,1,0,0] mod 2) mod 2; od 
Count # of times "1" appears-->weight of resulting vector 

> numboccur(L,1); 
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